From 017178d8c59694392f19f7323211e51619d6ef59 Mon Sep 17 00:00:00 2001 From: chitcommit <208086304+chitcommit@users.noreply.github.com> Date: Wed, 10 Jun 2026 02:37:21 +0000 Subject: [PATCH] fix(reusable-ci): drop unsatisfiable permissions elevation on ai-review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A reusable workflow cannot elevate permissions beyond what the caller grants. The ai-review job declared 'permissions: pull-requests: write' but consumer workflows (e.g. chittyos/chittyentity/.github/workflows/ci.yml) do not grant it on the calling job. Org default is read-only, so GitHub Actions rejects with startup_failure at instantiation — no jobs run, no logs, no annotations. Fix: remove the permissions block. Document in a comment how callers can opt-in to AI-review PR comments by declaring permissions on the calling job. lint/test/security run fine with default read-only. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/reusable-ci-pipeline.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/reusable-ci-pipeline.yml b/.github/workflows/reusable-ci-pipeline.yml index 265b795..4cf7778 100644 --- a/.github/workflows/reusable-ci-pipeline.yml +++ b/.github/workflows/reusable-ci-pipeline.yml @@ -136,9 +136,17 @@ jobs: name: AI Review if: inputs.run-ai-review && github.event_name == 'pull_request' runs-on: ubuntu-latest - permissions: - contents: read - pull-requests: write + # Note: pull-requests: write must be granted by the caller workflow. + # A reusable workflow cannot elevate permissions beyond what the caller + # provides; declaring write here when the caller is read-only causes a + # startup_failure with no log output. Callers that want AI review to + # post PR comments should set permissions on the calling job, e.g.: + # jobs: + # ci-pipeline: + # permissions: + # contents: read + # pull-requests: write + # uses: chittyfoundation/.github/.github/workflows/reusable-ci-pipeline.yml@main env: ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} steps: