From bbdbf9a82a23010524a7717ecee194ccb78eec5b Mon Sep 17 00:00:00 2001 From: ChrisRackauckas-Claude Date: Sat, 20 Jun 2026 13:26:36 -0400 Subject: [PATCH] Restore contents:write permission for docs deploy (fix gh-pages 403) The CI-centralization migration replaced the docs job with a thin caller of SciML/.github/.github/workflows/documentation.yml@v1 but dropped the permissions: block. The reusable workflow declares no permissions, so the caller job's (now default, read-only contents) permissions flow through to the GITHUB_TOKEN used by Documenter's deploydocs. With no DOCUMENTER_KEY secret, deploydocs falls back to a token-based gh-pages push, which the read-only token cannot perform -> 403 / push denied. Declaring permissions { actions: write, contents: write, statuses: write } on the reusable-workflow caller job passes them through to the token, restoring the token-based deploy mechanism. Mirrors the proven fix in SciML/OrdinaryDiffEqOperatorSplitting.jl#90. Co-Authored-By: Chris Rackauckas Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/Documentation.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/Documentation.yml b/.github/workflows/Documentation.yml index 030c5a4..868ff8f 100644 --- a/.github/workflows/Documentation.yml +++ b/.github/workflows/Documentation.yml @@ -14,5 +14,9 @@ concurrency: jobs: build-and-deploy-docs: name: "Documentation" + permissions: + actions: write + contents: write + statuses: write uses: "SciML/.github/.github/workflows/documentation.yml@v1" secrets: "inherit"