Grant packages read permission to JAX release workflow#63
Grant packages read permission to JAX release workflow#63erman-gurses wants to merge 12 commits into
Conversation
marbre
left a comment
There was a problem hiding this comment.
This is correct on the surface and will resolve the issue but might not be the correct fix. Taking a quick look at https://github.com/ROCm/TheRock/blob/main/.github/workflows/multi_arch_build_linux_jax_wheels.yml, I couldn't spot why packages: read should be needed. Please take a closer look at the underlying permissions and if we can drop package: read from the called workflow instead.
Thanks — I took a closer look. I tried removing all but GitHub workflow validation fails when So packages: read is not needed by the build job itself, but it is still required in the workflow call chain because the nested test workflow requests it. I kept it where it is needed for the test workflow. |
One clarification: When I added But I need to keep this one since I got error below when I removed both of them: https://github.com/ROCm/TheRock/blob/main/.github/workflows/multi_arch_release_linux_jax_wheels.yml#L89 |
|
The ask was not to only drop it from the build job only as this moves the problem but doesn't resolves it. So your agent did a bad job here:
We actually only So I am under the impression we can drop every |
That is my simple reasoning from the tests, not agent :) I can test that too but do not we have |
That is nice, it does not complain: https://github.com/ROCm/rockrel/actions/runs/27820440429/job/82331986576 I was interpreting Will raise a PR on TheRock side. I will close this after the tests are done. |
The above was missframed. We only have/use the permissions in the listed jobs.
Where do you have an emdash on your keyboard? :D
We do not use it in any of the non-JAX jobs but we use manylinux for every build. And those job don't have
Sounds good! Feel free to request a review from me. |
|
Thank Marius! That helped a lot - You do not believe me :) but It was my idea, I was discussing with my agent - it was opposing to me actually. It just reframed my thoughts. Thanks again. |
Oh, I was only saying an agent was involved ;) Happed the feedback helped. |
Summary
Grant
packages: readpermission to the RockRel multi-arch JAX release workflow.The reusable workflow invoked from
ROCm/TheRockrequestspackages: read, but the caller workflow did not grant that permission. GitHub Actions rejects the workflow invocation with:Error: https://github.com/ROCm/rockrel/actions/runs/27806016125
Changes
Add
packages: readto the top-level workflow permissions in:.github/workflows/multi_arch_release_linux_jax_wheels.yml