Skip to content

chore: update workflow permissions #9869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 7, 2025
Merged

chore: update workflow permissions #9869

merged 2 commits into from
Jul 7, 2025

Conversation

edmundhung
Copy link
Member

Fixes n/a.

  • Tests
    • Tests included
    • Tests not necessary because:
  • Public documentation
    • Cloudflare docs PR(s):
    • Documentation not necessary because:
  • Wrangler V3 Backport
    • Wrangler PR:
    • Not necessary because:

@edmundhung edmundhung requested a review from a team as a code owner July 7, 2025 10:17
@edmundhung edmundhung added skip-pr-description-validation Skip validation of the required PR description format no-changeset-required labels Jul 7, 2025
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jul 7, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: 6fec0f7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-project-automation github-project-automation bot moved this to Untriaged in workers-sdk Jul 7, 2025
@pkg-pr-new pkg.pr.new
Copy link

pkg-pr-new bot commented Jul 7, 2025
edited
Loading

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@9869

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@9869

miniflare

npm i https://pkg.pr.new/miniflare@9869

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@9869

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@9869

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@9869

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@9869

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@9869

wrangler

npm i https://pkg.pr.new/wrangler@9869

commit: 6fec0f7

edmundhung
edmundhung commented Jul 7, 2025
View reviewed changes
.github/workflows/open-v3-maintenance-prs.yml
@@ -9,8 +9,8 @@ on:
- ".changeset/**.md"

permissions:
contents: read
# note: no write permissions are needed since the workflow uses GH_ACCESS_TOKEN instead of GITHUB_TOKEN
contents: write # Required to push the v3 backport branch up
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should fix fatal: unable to access 'https://github.com/cloudflare/workers-sdk/': The requested URL returned error: 403

.github/workflows/open-v3-maintenance-prs.yml
contents: read
# note: no write permissions are needed since the workflow uses GH_ACCESS_TOKEN instead of GITHUB_TOKEN
contents: write # Required to push the v3 backport branch up
pull-requests: write # Required for opening the backport PR and commenting on the original PR
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should fix Error: Resource not accessible by integration

.github/workflows/open-v3-maintenance-prs.yml Outdated
@@ -45,7 +45,7 @@ jobs:
FILES: ${{ steps.files.outputs.all }}
PR_NUMBER: ${{ github.event.number }}
PR_TITLE: ${{ toJson(github.event.pull_request.title) }}
GH_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
GH_TOKEN: ${{ github.token }}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we were using this GH_TOKEN only for creating the PR but I don't see why we can't use the default github token

.github/workflows/run-ci-for-external-forks.yml
contents: read
# note: no write permissions are needed since the workflow uses GH_ACCESS_TOKEN instead of GITHUB_TOKEN
contents: read # no write permissions are needed since the workflow uses GH_ACCESS_TOKEN instead of GITHUB_TOKEN
pull-requests: write # Required for creating the draft PR on behalf of the user
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should fix https://github.com/cloudflare/workers-sdk/actions/runs/16076425204/job/45372623437#step:7:15

@github-project-automation github-project-automation bot moved this from Untriaged to Approved in workers-sdk Jul 7, 2025
@edmundhung edmundhung enabled auto-merge July 7, 2025 10:27
petebacondarwin
petebacondarwin approved these changes Jul 7, 2025
View reviewed changes
Copy link
Contributor

@petebacondarwin petebacondarwin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason for using a different token is that you cannot trigger workflows from other workflows - they just don't run. I think this is to prevent infinite recursion taking down teh system?

So if you want to cause another workflow to run based off a change this one is making, it needs to use a different token to the one provided by GH.

Is that relevant here?

@edmundhung edmundhung disabled auto-merge July 7, 2025 10:36
@edmundhung
Copy link
Member Author

edmundhung commented Jul 7, 2025
edited
Loading

Is that relevant here?

I am not sure. But I can't think of another workflow based off this. Let's give this a try :)

It looks like we can create a PR using the default GitHub token with the pull_request_target event but not with pull_request event. So I reverted it to use a different token.

@edmundhung edmundhung added this pull request to the merge queue Jul 7, 2025
@edmundhung edmundhung removed this pull request from the merge queue due to a manual request Jul 7, 2025
@edmundhung edmundhung added this pull request to the merge queue Jul 7, 2025
Merged via the queue into main with commit 060ff2a Jul 7, 2025
29 checks passed
@edmundhung edmundhung deleted the edmundhung/fix-workflow-permissions branch July 7, 2025 11:07
@github-project-automation github-project-automation bot moved this from Approved to Done in workers-sdk Jul 7, 2025
emily-shen pushed a commit that referenced this pull request Jul 7, 2025
@edmundhung @emily-shen
chore: update workflow permissions (#9869)
44d1646 
* chore: update workflow permissions

* revert to using a different GH_TOKEN
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@petebacondarwin petebacondarwin petebacondarwin approved these changes

@dario-piotrowicz dario-piotrowicz dario-piotrowicz approved these changes

Assignees
No one assigned
Labels
no-changeset-required skip-pr-description-validation Skip validation of the required PR description format
Projects
workers-sdk
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@edmundhung @petebacondarwin @dario-piotrowicz