Skip to content

fix(ci): update ci-templates SHA (permissions fix)#66

Merged
Jesssullivan merged 1 commit intomainfrom
fix/ci-templates-permissions-sha
Apr 18, 2026
Merged

fix(ci): update ci-templates SHA (permissions fix)#66
Jesssullivan merged 1 commit intomainfrom
fix/ci-templates-permissions-sha

Conversation

@Jesssullivan
Copy link
Copy Markdown
Owner

@Jesssullivan Jesssullivan commented Apr 18, 2026

Summary

Root cause

Reusable workflows cannot expand GITHUB_TOKEN permissions beyond what the caller grants. The repo's default is read, but publish jobs requested id-token: write and packages: write. GitHub rejected the entire workflow at planning time.

Test plan

  • CI creates jobs (no startup_failure)
  • Unit tests pass on self-hosted runner

@Jesssullivan Jesssullivan reopened this Apr 18, 2026
@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Apr 18, 2026

Greptile Summary

This PR updates the reusable workflow SHA in .github/workflows/ci.yml from @7dddffb to @f2e12c10580f17d54ac48434e2577fbcfe502a05, picking up a fix from ci-templates PR #11 that removed per-job permissions blocks. GitHub rejects reusable workflow calls at planning time when the callee declares permissions exceeding the caller's GITHUB_TOKEN grant, so removing those blocks from the template resolves the startup_failure.

Confidence Score: 5/5

Safe to merge — single-line SHA update that fixes a known CI startup_failure with no logic changes.

The change is minimal (one SHA updated), the root cause is well-understood and documented, and no new logic or permissions are introduced on the caller side. All remaining observations (dry_run: true) are pre-existing and out of scope for this PR.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/ci.yml SHA bumped from @7dddffb to @f2e12c10580f17d54ac48434e2577fbcfe502a05; no structural changes to the caller workflow; dry_run: true remains set (pre-existing)

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant Caller as ci.yml (caller)
    participant Template as js-bazel-package.yml @f2e12c1

    GH->>Caller: push / pull_request / workflow_dispatch
    Caller->>Template: uses: tinyland-inc/ci-templates/...@f2e12c1
    Note over Caller,Template: secrets: inherit, no per-job permissions block (fix)
    Template->>Template: lint / typecheck / unit tests
    Template->>Template: integration tests
    Template->>Template: build / package (dry_run: true)
    Template-->>Caller: job results
    Caller-->>GH: CI complete
Loading

Reviews (1): Last reviewed commit: "fix(ci): update ci-templates SHA to f2e1..." | Re-trigger Greptile

@Jesssullivan Jesssullivan merged commit bf1bb5e into main Apr 18, 2026
10 of 13 checks passed
@Jesssullivan Jesssullivan deleted the fix/ci-templates-permissions-sha branch April 18, 2026 12:22
Jesssullivan added a commit that referenced this pull request Apr 18, 2026
@Jesssullivan
fix(ci): update publish workflow ci-templates SHA to fix startup_failure
574832b 
The publish.yml still pinned to @0e13cc4 which has per-job permissions
blocks that cause startup_failure on GitHub Actions. CI workflow was
already updated in #66 but publish was missed.

Aligns with ci-templates PRs #10 + #11 (runs-on fix + permissions fix).

Tracked: TIN-104, TIN-164.
@Jesssullivan Jesssullivan mentioned this pull request Apr 18, 2026
Merged
Jesssullivan added a commit that referenced this pull request Apr 18, 2026
@Jesssullivan
fix(ci): update publish workflow ci-templates SHA to fix startup_fail…
27b992b 
…ure (#67)

The publish.yml still pinned to @0e13cc4 which has per-job permissions
blocks that cause startup_failure on GitHub Actions. CI workflow was
already updated in #66 but publish was missed.

Aligns with ci-templates PRs #10 + #11 (runs-on fix + permissions fix).

Tracked: TIN-104, TIN-164.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Jesssullivan