Skip to content

fix(ci): add missing pull-requests: read permission for reusable CI#59

Closed
yvonnedevlinrh wants to merge 1 commit into
complytime:mainfrom
yvonnedevlinrh:fix/ci-add-pull-requests-read-permission
Closed

fix(ci): add missing pull-requests: read permission for reusable CI#59
yvonnedevlinrh wants to merge 1 commit into
complytime:mainfrom
yvonnedevlinrh:fix/ci-add-pull-requests-read-permission

Conversation

@yvonnedevlinrh

@yvonnedevlinrh yvonnedevlinrh commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds pull-requests: read to the call_reusable_ci job permissions in ci.yml, fixing the startup_failure that is currently breaking all CI runs.

Problem

Since PR #52 bumped reusable_ci.yml to 37b9e82, every CI run fails before execution with:

Error calling workflow 'complytime/org-infra/.github/workflows/reusable_ci.yml@...'.
The nested job 'megalinter' is requesting 'pull-requests: read',
but is only allowed 'pull-requests: none'.

Failed run: https://github.com/complytime/complypack/actions/runs/27630148521

This affects all branches � main, dependabot PRs, and the attempted fix in PR #57.

Root Cause

Upstream commit ec0ad9d in org-infra added a gh pr view call to the megalinter job for live PR title validation. This requires pull-requests: read at the job level inside the reusable workflow:

# org-infra/reusable_ci.yml
megalinter:
  permissions:
    contents: read
    issues: read
    pull-requests: read  # <-- added by ec0ad9d
GitHub Actions enforces that a reusable workflow cannot escalate permissions beyond what the caller grants (https://docs.github.com/en/actions/sharing-automations/reusing-workflows#supported-keywords-for-jobs-that-call-a-reusable-workflow). Since complypack's caller job only listed contents: read and issues: read, the unlisted pull-requests defaulted to none, blocking the nested job.
Fix
One-line addition:
  call_reusable_ci:
    name: Standardized CI
    uses: complytime/org-infra/.github/workflows/reusable_ci.yml@37b9e82... # main
    permissions:
      contents: read
      issues: read
+     pull-requests: read
Precedent
This was already fixed in complytime-collector-components via PR #318 (https://github.com/complytime/complytime-collector-components/pull/318).
Relationship to PR #57
PR #57 attempted to fix this by reverting the reusable_ci.yml SHA pin from 37b9e82 back to e30c5cd. This did not work because e30c5cd also contains the breaking change (commit ec0ad9d is an ancestor of both). PR #57 can be closed once this is merged.
Closes
Closes #58

@yvonnedevlinrh
fix(ci): add missing pull-requests: read permission for reusable CI
f5b607e 
The megalinter job in the reusable_ci.yml workflow requires
pull-requests: read to validate PR titles via gh pr view.
Without this permission, the caller defaults to pull-requests: none
and CI fails with startup_failure.

Closes complytime#58

Assisted-by: OpenCode (claude-opus-4-6)
Signed-off-by: Yvonne Devlin <ydevlin@redhat.com>
@yvonnedevlinrh yvonnedevlinrh requested a review from a team as a code owner June 19, 2026 13:05
@yvonnedevlinrh yvonnedevlinrh requested review from gxmiranda and jpower432 and removed request for a team June 19, 2026 13:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gxmiranda gxmiranda Awaiting requested review from gxmiranda gxmiranda is a code owner automatically assigned from complytime/complytime-dev

@jpower432 jpower432 Awaiting requested review from jpower432 jpower432 is a code owner automatically assigned from complytime/complytime-dev

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yvonnedevlinrh