Skip to content

fix: require actions: read for all setups, not just fork#11

Merged
derekmisler merged 2 commits into
mainfrom
fix-actions-read-permission
Jun 23, 2026
Merged

fix: require actions: read for all setups, not just fork#11
derekmisler merged 2 commits into
mainfrom
fix-actions-read-permission

Conversation

@derekmisler

@derekmisler derekmisler commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

The reusable workflow declares actions: read at the workflow level and uses it unconditionally (cross-run artifact downloads for memory/feedback processing). It is not limited to fork/2-workflow setups — every caller needs it.

Changes

  • review-pr/README.md: add actions: read to the 1-workflow (same-repo) permissions block with comment # Required by reusable workflow for artifact operations
  • SKILL.md section 4a: same addition to the 1-workflow YAML example
  • SKILL.md section 5 upgrade checklist: add actions: read to the universal required-permissions list; remove the fork-only actions: read bullet
  • SKILL.md section 6 troubleshooting: broaden the "Fork setup: artifact download fails with 403" entry to cover all setups
  • SKILL.md section 7 audit checklist: update the actions: read annotation from "required for fork setups only" to "required for all setups"

@derekmisler
fix: require actions: read for all setups, not just fork
8cfa4ff 
The reusable workflow declares actions: read at the workflow level and
uses it unconditionally (cross-run artifact downloads for memory
persistence and feedback processing). It is not limited to fork/
2-workflow setups.

Changes:
- review-pr/README.md: add actions: read to the 1-workflow permissions
  block with clarifying comment
- SKILL.md section 4a: same addition to the 1-workflow YAML example
- SKILL.md section 5 upgrade checklist: add actions: read to the
  universal required-permissions list; remove the fork-only bullet
- SKILL.md section 6 troubleshooting: broaden '403' heading and cause
  description to cover all setups
- SKILL.md section 7 audit checklist: update actions: read annotation
  from 'required for fork setups only' to 'required for all setups'
@derekmisler derekmisler self-assigned this Jun 23, 2026
@derekmisler derekmisler marked this pull request as ready for review June 23, 2026 21:08
@derekmisler derekmisler requested a review from docker-agent June 23, 2026 21:08
@derekmisler derekmisler enabled auto-merge (squash) June 23, 2026 21:08
docker-agent
docker-agent reviewed Jun 23, 2026
View reviewed changes

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

The changes correctly broaden actions: read from a fork-only requirement to a universal one across both review-pr/README.md and SKILL.md. The same-repo permissions examples, upgrade checklist, troubleshooting section, and audit checklist are all updated consistently. No bugs or functional issues were introduced.

Minor observations (no action required):

  • review-pr/README.md line 115 and SKILL.md line 208 each retain the old fork-specific comment # Download artifacts from trigger workflow on the actions: read line in their respective fork (pr-review.yml) YAML examples. The newly added same-repo lines both use the updated phrasing # Required by reusable workflow for artifact operations. These unchanged lines are out of this PR's scope but a future pass could align them for consistency.

  • The removed fork-specific upgrade checklist bullet ("Fork repos: actions: read permission in pr-review.yml") previously explained the 403 symptom in context. That detail is still reachable via the troubleshooting section, so nothing is lost — but readers who only scan the checklist won't see the 403 callout anymore. Again, out of scope for this fix but worth noting.

@derekmisler
docs: align actions: read comments and restore 403 callout in checklist
b730ce7 
Address minor observations from docker-agent review:
- Align the actions: read comment in the fork pr-review.yml YAML
  examples in both files to match the same-repo wording, noting it
  also covers trigger artifact downloads
- Add a 403 note back to the upgrade checklist permissions bullet
  so checklist-only readers still see the concrete failure symptom
@derekmisler

derekmisler commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

Thanks for the review. Both observations were easy wins so I went ahead and addressed them in a follow-up commit: aligned the actions: read comment in the fork pr-review.yml YAML blocks to match the same-repo phrasing (adding a note about trigger artifacts), and restored the 403 callout in the upgrade checklist permissions bullet. Pushed as b730ce7.

@derekmisler derekmisler merged commit 988eb11 into main Jun 23, 2026
13 checks passed
@derekmisler derekmisler deleted the fix-actions-read-permission branch June 23, 2026 21:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@docker-agent docker-agent docker-agent left review comments
@aheritier aheritier aheritier approved these changes

Assignees

@derekmisler derekmisler

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@derekmisler @aheritier @docker-agent