documentation.yml: set permissions (contents: write) in the reusable (fix docs-deploy at the source)#102
Merged
ChrisRackauckas merged 1 commit intoJun 21, 2026
Conversation
…so consumers don't each need it The reusable docs workflow deploys to gh-pages via GITHUB_TOKEN (when no DOCUMENTER_KEY), which requires `contents: write`. It declared no permissions, so every consumer's caller job had to grant write itself — and the CI centralization migration dropped those per-repo blocks, 403'ing the gh-pages push across many repos. Setting the permissions here fixes all consumers at the source (no per-repo permissions blocks needed) once v1 is retagged. Co-Authored-By: Chris Rackauckas <accounts@chrisrackauckas.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 21, 2026
ChrisRackauckas-Claude
pushed a commit
to ChrisRackauckas-Claude/ColPrac
that referenced
this pull request
Jun 21, 2026
The centralized documentation.yml reusable now sets permissions: contents:write (SciML/.github#102), so this repo's caller no longer needs its own permissions block. Merge ONLY after #102 is merged and v1 is retagged (otherwise the gh-pages deploy 403s again in the gap). Co-Authored-By: Chris Rackauckas <accounts@chrisrackauckas.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ChrisRackauckas-Claude
pushed a commit
to ChrisRackauckas-Claude/Evolutionary.jl
that referenced
this pull request
Jun 21, 2026
The centralized documentation.yml reusable now sets permissions: contents:write (SciML/.github#102), so this repo's caller no longer needs its own permissions block. Merge ONLY after SciML#102 is merged and v1 is retagged (otherwise the gh-pages deploy 403s again in the gap). Co-Authored-By: Chris Rackauckas <accounts@chrisrackauckas.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ChrisRackauckas
added a commit
to SciML/ColPrac
that referenced
this pull request
Jun 21, 2026
…) (#53) The centralized documentation.yml reusable now sets permissions: contents:write (SciML/.github#102), so this repo's caller no longer needs its own permissions block. Merge ONLY after #102 is merged and v1 is retagged (otherwise the gh-pages deploy 403s again in the gap). Co-authored-by: ChrisRackauckas-Claude <accounts@chrisrackauckas.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ChrisRackauckas
added a commit
to SciML/Evolutionary.jl
that referenced
this pull request
Jun 21, 2026
…) (#149) The centralized documentation.yml reusable now sets permissions: contents:write (SciML/.github#102), so this repo's caller no longer needs its own permissions block. Merge ONLY after #102 is merged and v1 is retagged (otherwise the gh-pages deploy 403s again in the gap). Co-authored-by: ChrisRackauckas-Claude <accounts@chrisrackauckas.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ChrisRackauckas-Claude
pushed a commit
to ChrisRackauckas-Claude/OrdinaryDiffEqOperatorSplitting.jl
that referenced
this pull request
Jun 21, 2026
…by .github#102) The per-repo Documentation.yml permissions block this PR added is superseded by SciML/.github#102 (which sets it in the reusable). Drop it here and keep only the real remaining fix: the `disptach`->`dispatch` typo in src/integrator.jl that the Spell Check still flags on master. Co-Authored-By: Chris Rackauckas <accounts@chrisrackauckas.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ChrisRackauckas
added a commit
to SciML/OrdinaryDiffEqOperatorSplitting.jl
that referenced
this pull request
Jun 21, 2026
…90) * Restore contents:write permission for docs deploy The Documentation workflow builds successfully but fails at the deploydocs gh-pages push with a 403: remote: Permission to SciML/OrdinaryDiffEqOperatorSplitting.jl.git denied to github-actions[bot]. fatal: ... error: 403 The repo has no DOCUMENTER_KEY secret, so Documenter falls back to pushing via GITHUB_TOKEN. The CI migration to the centralized reusable workflow (afd4a41) dropped the `contents: write` permission that the previous CI.yml docs job declared, leaving GITHUB_TOKEN read-only and unable to push to gh-pages. Declaring the permissions on the reusable-workflow caller job passes them through to the GITHUB_TOKEN used inside the called workflow, restoring the pre-migration token-based deploy mechanism. Co-Authored-By: Chris Rackauckas <accounts@chrisrackauckas.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Fix typo in integrator.jl comment ("disptach" -> "dispatch") The Spell Check (typos) workflow fails on the PR with: error: `disptach` should be `dispatch` --> ./src/integrator.jl:935:8 Correct the comment so the spellcheck check passes. Verified locally with `typos .` (v1.47.0): exits 0 after the fix. Co-Authored-By: Chris Rackauckas <accounts@chrisrackauckas.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Reduce to the spellcheck fix only (permissions now handled centrally by .github#102) The per-repo Documentation.yml permissions block this PR added is superseded by SciML/.github#102 (which sets it in the reusable). Drop it here and keep only the real remaining fix: the `disptach`->`dispatch` typo in src/integrator.jl that the Spell Check still flags on master. Co-Authored-By: Chris Rackauckas <accounts@chrisrackauckas.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: ChrisRackauckas-Claude <accounts@chrisrackauckas.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Per @ChrisRackauckas: fix the docs-deploy gh-pages 403 centrally instead of per-repo.
The reusable
documentation.ymldeploys viaGITHUB_TOKEN(when noDOCUMENTER_KEY), which needscontents: write. It declared nopermissions:, so each consumer's caller job had to grant write — and the CI-centralization migration dropped those per-repo blocks, 403'ing gh-pages across many repos (CatalystNetworkAnalysis, ColPrac, Evolutionary, PDEBase, SparseColumnPivotedQR, OrdinaryDiffEqOperatorSplitting, …).This adds a workflow-level
permissions: {contents: write, actions: write, statuses: write}to the reusable, so all consumers get it without per-repo blocks. Mirrors the grant that the per-caller fix (OrdinaryDiffEqOperatorSplitting #90, verified → Documentation green) used — just moved to the source.Needs a
v1retag to take effect. Once retagged, the ~6 per-repopermissions-block PRs I opened can be closed as superseded.Please ignore until reviewed by @ChrisRackauckas.