ci(coverage): use write-all on legacy-g2-genai caller (match callee)

Mirror of the callee switch from explicit-scope list to write-all.
Reusable-workflow permissions intersect caller and callee, so the
callee's write-all is no-op unless the caller also declares
write-all. See the callee commit on GH-Actions for the full
rationale.
feature/ci-codecov-tap-legacy-g2
Rene Cannao 1 month ago
parent 7122523db1
commit 4823a40766

@ -14,32 +14,16 @@ concurrency:
jobs:
run:
if: ${{ github.event.workflow_run && github.event.workflow_run.conclusion == 'success' || ! github.event.workflow_run }}
# Permissions: declaring this block switches GITHUB_TOKEN from "all
# default scopes" to "exactly what is listed here", and the reusable
# workflow only gets the intersection of caller + callee. Each entry
# is load-bearing:
#
# - contents: read checkout
# - id-token: write codecov-action@v4 OIDC upload (no static
# CODECOV_TOKEN secret; OIDC is the only path)
# - checks: write LouisBrunner/checks-action /check-runs POST.
# - packages: read docker pull from ghcr.io for the CI base image.
# - actions: write actions/cache/restore@v4 cache reads. `read`
# is the documented minimum but the restore
# still fails ("Failed to restore cache entry"
# even though the cache exists); `write` is
# what the default token grants on cascade
# runs, mirror it here.
#
# All five were dropped one-by-one in successive failed runs because
# declaring `permissions:` makes the list exhaustive (every default
# scope not listed is revoked).
permissions:
contents: read
id-token: write
checks: write
packages: read
actions: write
# `write-all` grants every default scope plus id-token:write for
# Codecov OIDC upload. After a five-step ratchet of adding scopes
# one at a time (contents, checks, packages, actions, id-token)
# the cache restore step *still* failed even with actions:write
# explicitly listed. Falling back to write-all matches what the
# cascading workflow_run runs implicitly have, what the rest of
# the TAP group workflows use, and works. Reusable-workflow
# permissions intersect caller + callee, so this caller has to
# declare write-all for the callee's write-all to propagate.
permissions: write-all
uses: sysown/proxysql/.github/workflows/ci-legacy-g2-genai.yml@GH-Actions
secrets: inherit
with:

Loading…
Cancel
Save