@ -14,32 +14,16 @@ concurrency:
jobs:
run:
if : ${{ github.event.workflow_run && github.event.workflow_run.conclusion == 'success' || ! github.event.workflow_run }}
# Permissions: declaring this block switches GITHUB_TOKEN from "all
# default scopes" to "exactly what is listed here", and the reusable
# workflow only gets the intersection of caller + callee. Each entry
# is load-bearing:
#
# - contents: read checkout
# - id-token: write codecov-action@v4 OIDC upload (no static
# CODECOV_TOKEN secret; OIDC is the only path)
# - checks: write LouisBrunner/checks-action /check-runs POST.
# - packages: read docker pull from ghcr.io for the CI base image.
# - actions: write actions/cache/restore@v4 cache reads. `read`
# is the documented minimum but the restore
# still fails ("Failed to restore cache entry"
# even though the cache exists); `write` is
# what the default token grants on cascade
# runs, mirror it here.
#
# All five were dropped one-by-one in successive failed runs because
# declaring `permissions:` makes the list exhaustive (every default
# scope not listed is revoked).
permissions:
contents : read
id-token : write
checks : write
packages : read
actions : write
# `write-all` grants every default scope plus id-token:write for
# Codecov OIDC upload. After a five-step ratchet of adding scopes
# one at a time (contents, checks, packages, actions, id-token)
# the cache restore step *still* failed even with actions:write
# explicitly listed. Falling back to write-all matches what the
# cascading workflow_run runs implicitly have, what the rest of
# the TAP group workflows use, and works. Reusable-workflow
# permissions intersect caller + callee, so this caller has to
# declare write-all for the callee's write-all to propagate.
permissions : write-all
uses : sysown/proxysql/.github/workflows/ci-legacy-g2-genai.yml@GH-Actions
secrets : inherit
with:
Rene Cannao
1 month ago