Skip to content

Commit 33f9374

Browse files
committed
Grant contents:read to publish workflows for internal repo checkout
quicknode/cli is `internal` visibility, which GitHub Actions treats as private for auth purposes. Reusable workflows mint their own GITHUB_TOKEN scoped to the called workflow's declared permissions (NOT inherited from the caller's secrets: inherit). When a reusable workflow omits a permissions block, the auto-minted token has zero permissions on the repo's contents, and actions/checkout gets a 404 ("Repository not found") on the clone fetch. Fix in two coordinated edits: * publish-crates.yml and publish-docker.yml now declare `permissions: contents: read` at the workflow level. * dist-workspace.toml gets a github-custom-job-permissions block so the calling jobs (custom-publish-crates, custom-publish-docker) also grant contents: read. Reusable workflow permissions cannot exceed the caller's, so we had to widen both sides. This is invisible on public repos because anonymous git fetches against github.com Just Work. We only hit it because the repo is internal. The previous run produced a valid GitHub Release at v0.1.0 (all artifacts and attestations uploaded successfully — only the two publish jobs failed). To pick up this fix we'll delete that release + tag and re-tag; nothing has actually been published to crates.io or GHCR yet, so the teardown is purely a git/Releases-page cleanup.
1 parent 51bae95 commit 33f9374

4 files changed

Lines changed: 25 additions & 5 deletions

File tree

.github/workflows/publish-crates.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,14 @@ on:
1212
required: true
1313
type: string
1414

15+
# Reusable workflows mint their own GITHUB_TOKEN with only the permissions
16+
# declared here (NOT inherited from the caller). On a private/internal
17+
# repo, actions/checkout needs `contents: read` or it gets a 404. The
18+
# caller must also grant this — see dist-workspace.toml's
19+
# github-custom-job-permissions block.
20+
permissions:
21+
contents: read
22+
1523
jobs:
1624
publish:
1725
runs-on: ubuntu-22.04

.github/workflows/publish-docker.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -18,10 +18,13 @@ on:
1818

1919
# Permissions must NOT exceed what the caller (release.yml's
2020
# `custom-publish-docker` job) grants — reusable workflows can't widen
21-
# permissions. cargo-dist gives custom publish jobs id-token + packages
22-
# write, plus the workflow-level contents: write inherited via the
23-
# caller. That's enough for GHCR push and gh release download.
21+
# permissions. Caller grants are configured via dist-workspace.toml's
22+
# github-custom-job-permissions block. `contents: read` is needed for
23+
# actions/checkout on this internal repo; `packages: write` is needed
24+
# for GHCR push; `id-token: write` is needed for OIDC-backed
25+
# attestations on the pushed image.
2426
permissions:
27+
contents: read
2528
packages: write
2629
id-token: write
2730

.github/workflows/release.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -297,8 +297,7 @@ jobs:
297297
secrets: inherit
298298
# publish jobs get escalated permissions
299299
permissions:
300-
"id-token": "write"
301-
"packages": "write"
300+
"contents": "read"
302301

303302
custom-publish-docker:
304303
needs:
@@ -311,6 +310,7 @@ jobs:
311310
secrets: inherit
312311
# publish jobs get escalated permissions
313312
permissions:
313+
"contents": "read"
314314
"id-token": "write"
315315
"packages": "write"
316316

dist-workspace.toml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -31,3 +31,12 @@ formula = "qn"
3131
publish-jobs = ["./publish-crates", "./publish-docker"]
3232
# Emit SLSA build attestations for every binary archive. Critical for a credential-handling tool.
3333
github-attestations = true
34+
35+
# The repo is `internal`, so the reusable workflow's auto-minted
36+
# GITHUB_TOKEN needs explicit contents:read to checkout the source.
37+
# Without this the actions/checkout step in each publish workflow
38+
# fails with `Repository not found` (a 404 masquerading as a missing
39+
# auth claim on a private repo). Granting the permission here widens
40+
# the calling job's permission grant so the called workflow can also
41+
# declare contents:read without exceeding the caller.
42+
github-custom-job-permissions = { "publish-crates" = { contents = "read" }, "publish-docker" = { contents = "read", packages = "write", "id-token" = "write" } }

0 commit comments

Comments
 (0)