Skip to content

fix: add pull-requests write permission to ci-external workflow#21965

Merged
ludamad merged 1 commit intonextfrom
jh/fix-ci-external-permissions
Mar 24, 2026
Merged

fix: add pull-requests write permission to ci-external workflow#21965
ludamad merged 1 commit intonextfrom
jh/fix-ci-external-permissions

Conversation

@johnathan79717
Copy link
Copy Markdown
Contributor

@johnathan79717 johnathan79717 commented Mar 24, 2026

Summary

  • The ci-external workflow fails with Resource not accessible by integration (removeLabelsFromLabelable) because github.token defaults to read-only when no permissions block is set.
  • Adds contents: read + pull-requests: write to the ci-external job so gh pr edit --remove-label "ci-external-once" can succeed.

Context

  • Safe because the workflow uses pull_request_target (code always from base branch, not fork) and is gated by a maintainer adding the ci-external / ci-external-once label.
  • Matches the pattern used by other label-modifying workflows in the repo (e.g., merge-train-create-pr, auto-close-stale-drafts).
  • Fixes the CI failure seen on external PRs like chore: bench phase breakdown + thread sweep for MSM reduction #21885.

@johnathan79717
fix: add pull-requests write permission to ci-external workflow
a697806 
The ci-external workflow's `gh pr edit --remove-label "ci-external-once"`
fails with "Resource not accessible by integration" because the default
github.token has read-only permissions when no permissions block is set.

This adds explicit permissions (contents: read, pull-requests: write) to
the ci-external job, matching the pattern used by other label-modifying
workflows in the repo. Safe because the workflow runs via
pull_request_target (code from base branch) and is gated by a maintainer
adding the ci-external label.
@johnathan79717 johnathan79717 added ci-external-once Run CI on an external PR, but only once. and removed ci-external-once Run CI on an external PR, but only once. labels Mar 24, 2026
@ludamad ludamad enabled auto-merge March 24, 2026 17:07
@ludamad ludamad added this pull request to the merge queue Mar 24, 2026
Merged via the queue into next with commit f49661e Mar 24, 2026
28 of 32 checks passed
@ludamad ludamad deleted the jh/fix-ci-external-permissions branch March 24, 2026 17:52
@AztecBot AztecBot mentioned this pull request Mar 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ludamad ludamad ludamad approved these changes

@charlielye charlielye Awaiting requested review from charlielye charlielye is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@johnathan79717 @ludamad