fix(ci): grant packages:write to maven-publish deploy job#75
Merged
Conversation
Restores GitHub Packages deploys after they started failing with HTTP 403. The deploy job did not declare a `permissions:` block, so it inherited the org-wide default for GITHUB_TOKEN. When that default does not include `packages: write`, the maven-deploy step is rejected by maven.pkg.github.com regardless of the token being valid. Declaring the permission at the job level makes the workflow self-sufficient and consistent with release.yml, which already pins its own permissions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
permissions: { contents: read, packages: write }to thedeployjob in.github/workflows/maven-publish.yml.HTTP 403 Forbiddenfailures frommvn deployagainstmaven.pkg.github.com/pluggyai/pluggy-java.Why it broke "out of nowhere"
The job had no
permissions:block, soGITHUB_TOKENinherited the org/repo default. GitHub no longer grantspackages: writeby default in many configurations — once that default tightens, the token is valid but cannot push packages, and the deploy step gets a 403.release.ymlalready declares its own permissions; this change bringsmaven-publish.ymlin line with that pattern.Test plan
Maven Deploy to GitHub Packagesworkflow viaworkflow_dispatchwithtag_version: v1.9.0and confirm thedeployjob succeeds.1.9.0jar appears under https://github.com/pluggyai/pluggy-java/packages.🤖 Generated with Claude Code