Skip to content

up.yml workflow fails due to lack of permissions block leading to insufficient token permissions #681

Description

@sdghsdkjlas27-dotcom

up.yml will fail under restrictive permissions defaults because it needs write access

DESCRIPTION:
The up.yml workflow uses peter-evans/create-pull-request@v8 which requires contents: write (to push commits) and pull-requests: write (to create PRs). The workflow has no permissions block and depends entirely on the repository's default token permissions. Under GitHub's recommended restrictive defaults (read-only), this workflow will hard-fail when it attempts to push or create a PR.

REPRODUCTION:
.github/workflows/up.yml (full file, 30 lines):

jobs:
  up:
    timeout-minutes: 15
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v7
      - run: |
          git fetch --tags --force
          latest=$(git tag --sort=creatordate | tail -1)
          sed -E -i "s/pages-action@.+$/pages-action@${latest}/g" README.md
      - uses: peter-evans/create-pull-request@v8
        with:
          sign-commits: true
          branch: version-up
          commit-message: 'new version in README'
          delete-branch: true
          title: 'New version in README'
          assignees: yegor256
          base: master

No permissions block exists. Without contents: write and pull-requests: write, this workflow will fail.

IMPACT:
High — correctness. The workflow will break under recommended repository security settings.

RELATED FILES:

  • .github/workflows/up.yml (entire file)

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions