up.yml will fail under restrictive permissions defaults because it needs write access
DESCRIPTION:
The up.yml workflow uses peter-evans/create-pull-request@v8 which requires contents: write (to push commits) and pull-requests: write (to create PRs). The workflow has no permissions block and depends entirely on the repository's default token permissions. Under GitHub's recommended restrictive defaults (read-only), this workflow will hard-fail when it attempts to push or create a PR.
REPRODUCTION:
.github/workflows/up.yml (full file, 30 lines):
jobs:
up:
timeout-minutes: 15
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v7
- run: |
git fetch --tags --force
latest=$(git tag --sort=creatordate | tail -1)
sed -E -i "s/pages-action@.+$/pages-action@${latest}/g" README.md
- uses: peter-evans/create-pull-request@v8
with:
sign-commits: true
branch: version-up
commit-message: 'new version in README'
delete-branch: true
title: 'New version in README'
assignees: yegor256
base: master
No permissions block exists. Without contents: write and pull-requests: write, this workflow will fail.
IMPACT:
High — correctness. The workflow will break under recommended repository security settings.
RELATED FILES:
.github/workflows/up.yml (entire file)
up.yml will fail under restrictive permissions defaults because it needs write access
DESCRIPTION:
The
up.ymlworkflow usespeter-evans/create-pull-request@v8which requirescontents: write(to push commits) andpull-requests: write(to create PRs). The workflow has nopermissionsblock and depends entirely on the repository's default token permissions. Under GitHub's recommended restrictive defaults (read-only), this workflow will hard-fail when it attempts to push or create a PR.REPRODUCTION:
.github/workflows/up.yml(full file, 30 lines):No
permissionsblock exists. Withoutcontents: writeandpull-requests: write, this workflow will fail.IMPACT:
High — correctness. The workflow will break under recommended repository security settings.
RELATED FILES:
.github/workflows/up.yml(entire file)