Closed github-actions[bot] closed 1 month ago
The nightly setup job failed on Sunday (2024-05-12) in run 9055971103
The nightly setup job failed on Monday (2024-05-13) in run 9055971103
Job log:
Run git push --force origin HEAD:nightly-build
git push --force origin HEAD:nightly-build
shell: /usr/bin/bash -e {0}
env:
TZ: America/New_York
MAMBA_ROOT_PREFIX: /home/runner/micromamba
MAMBA_EXE: /home/runner/micromamba-bin/micromamba
CONDARC: /home/runner/work/_temp/setup-micromamba/.condarc
To https://github.com/TileDB-Inc/tiledbsoma-feedstock
! [remote rejected] HEAD -> nightly-build (refusing to allow a GitHub App to create or update workflow `.github/workflows/automerge.yml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/TileDB-Inc/tiledbsoma-feedstock'
Error: Process completed with exit code 1.
👀
I don't know what happened nor "why now" but things I am 👀 so far:
🤔
Very strange considering we didn't change anything. Investigating
I don't see any relevant recent change in either actions/checkout
or GitHub itself
Did someone change the default permissions of the default GitHub Actions token? Could you please go to the page https://github.com/TileDB-Inc/tiledbsoma-feedstock/settings/actions and scroll to the bottom section "Workflow permissions"? Is the default token set to read&write or read-only?
I figured it out. conda smithy rerender
updates the conda-forge infrastructure file .github/workflows/automerge.yml
. This is what GitHub is objecting to. Granting write access to edit a workflow file is justifiably a bigger security concern than simple write access to other repository files. Working on a fix
I should have kept scrolling down my GitHub notifications. This break was caused by the release of conda-smithy 3.35.1 on Saturday
https://github.com/conda-forge/conda-smithy/releases/tag/v3.35.1
Did someone change the default permissions of the default GitHub Actions token?
This was silly of me. We manually request that the default token has write access, so the default permissions in the repo Settings has no effect on the nightly setup workflow.
Could you please go to the page https://github.com/TileDB-Inc/tiledbsoma-feedstock/settings/actions and scroll to the bottom section "Workflow permissions"? Is the default token set to read&write or read-only?
@johnkerl While not related to this workflow failure, probably worth double-checking while we're thinking of it. We want the default token permission to be read-only (the option "Read repository contents and packages permissions"), so that we can then selectively escalate the permission only for specific jobs like we do in the nightly setup worfklow. I have lots of permissions in this repo, but not sufficient to access https://github.com/TileDB-Inc/tiledbsoma-feedstock/settings/actions to check the current default.
Also I manually triggered the nightly setup job to confirm it is working again
The nightly setup job failed on Saturday (2024-05-11) in run 9047950112