The nightly setup job failed on Saturday (2024-05-11)

[github-actions[bot]]

The nightly setup job failed on Saturday (2024-05-11) in run 9047950112

[github-actions[bot]]

The nightly setup job failed on Sunday (2024-05-12) in run 9055971103

[github-actions[bot]]

The nightly setup job failed on Monday (2024-05-13) in run 9055971103

[johnkerl]

Job log:

Run git push --force origin HEAD:nightly-build
  git push --force origin HEAD:nightly-build
  shell: /usr/bin/bash -e {0}
  env:
    TZ: America/New_York
    MAMBA_ROOT_PREFIX: /home/runner/micromamba
    MAMBA_EXE: /home/runner/micromamba-bin/micromamba
    CONDARC: /home/runner/work/_temp/setup-micromamba/.condarc
To https://github.com/TileDB-Inc/tiledbsoma-feedstock
 ! [remote rejected] HEAD -> nightly-build (refusing to allow a GitHub App to create or update workflow `.github/workflows/automerge.yml` without `workflows` permission)
error: failed to push some refs to 'https://github.com/TileDB-Inc/tiledbsoma-feedstock'
Error: Process completed with exit code 1.

👀

[johnkerl]

I don't know what happened nor "why now" but things I am 👀 so far:

• https://github.com/orgs/community/discussions/27072
• https://stackoverflow.com/questions/66643917/refusing-to-allow-a-github-app-to-create-or-update-workflow
• https://github.com/orgs/community/discussions/35410

🤔

[jdblischak]

Very strange considering we didn't change anything. Investigating

[jdblischak]

I don't see any relevant recent change in either actions/checkout or GitHub itself

[jdblischak]

Did someone change the default permissions of the default GitHub Actions token? Could you please go to the page https://github.com/TileDB-Inc/tiledbsoma-feedstock/settings/actions and scroll to the bottom section "Workflow permissions"? Is the default token set to read&write or read-only?

[jdblischak]

I figured it out. conda smithy rerender updates the conda-forge infrastructure file .github/workflows/automerge.yml. This is what GitHub is objecting to. Granting write access to edit a workflow file is justifiably a bigger security concern than simple write access to other repository files. Working on a fix

[jdblischak]

I should have kept scrolling down my GitHub notifications. This break was caused by the release of conda-smithy 3.35.1 on Saturday

https://github.com/conda-forge/conda-smithy/releases/tag/v3.35.1

[jdblischak]

Did someone change the default permissions of the default GitHub Actions token?

This was silly of me. We manually request that the default token has write access, so the default permissions in the repo Settings has no effect on the nightly setup workflow.

https://github.com/TileDB-Inc/tiledbsoma-feedstock/blob/6a34ab8d9a0fd370252a7ccf0981bbad23784c7b/.github/workflows/nightly.yml#L19-L20

Could you please go to the page https://github.com/TileDB-Inc/tiledbsoma-feedstock/settings/actions and scroll to the bottom section "Workflow permissions"? Is the default token set to read&write or read-only?

@johnkerl While not related to this workflow failure, probably worth double-checking while we're thinking of it. We want the default token permission to be read-only (the option "Read repository contents and packages permissions"), so that we can then selectively escalate the permission only for specific jobs like we do in the nightly setup worfklow. I have lots of permissions in this repo, but not sufficient to access https://github.com/TileDB-Inc/tiledbsoma-feedstock/settings/actions to check the current default.

[jdblischak]

Also I manually triggered the nightly setup job to confirm it is working again

• Manually triggered setup job
• Newly created commit on nightly-build branch