From c091f79920fddf4e62626ed88b92f200ebc6e033 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 29 Dec 2025 00:58:31 +0000 Subject: [PATCH 1/2] fix(ci): resolve nightly workflow permission error The nightly workflow was failing validation because test.yml declared `checks: write` at the workflow level. When a reusable workflow declares permissions, the caller must grant them. Scheduled runs have limited permissions and cannot grant `checks: write`, causing validation to fail before any code runs. Changes: - Remove `permissions` block from test.yml so it inherits from caller - Add `checks: write` to nightly.yml (granted for manual runs, ignored for scheduled runs which have limited permissions) - Add workflow_dispatch input to optionally enable coverage annotation - Make skip_coverage_annotation dynamic: always true for scheduled runs, configurable for manual runs --- .github/workflows/nightly.yml | 13 +++++++++++-- .github/workflows/test.yml | 4 ---- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index a262719..1f70975 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -4,13 +4,22 @@ on: schedule: # Run every Monday at 12 AM UTC - cron: '0 0 * * 1' - workflow_dispatch: # Allow manual trigger + workflow_dispatch: + inputs: + skip_coverage_annotation: + description: 'Skip coverage annotation (scheduled runs must skip due to permission limits)' + required: false + default: true + type: boolean permissions: contents: read + checks: write jobs: test: uses: ./.github/workflows/test.yml with: - skip_coverage_annotation: true + # For scheduled runs, always skip annotation (can't get checks:write permission). + # For manual runs, use the input value (defaults to true, but can be set to false). + skip_coverage_annotation: ${{ github.event_name == 'schedule' || inputs.skip_coverage_annotation }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index fe4f645..ff8347f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,10 +9,6 @@ on: default: false type: boolean -permissions: - contents: read - checks: write - jobs: tests: name: Tests (PHP ${{ matrix.php }}) From a64faf2cf309085b78e61a23261828013601c54a Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 29 Dec 2025 03:47:48 +0000 Subject: [PATCH 2/2] refactor(ci): remove speculative comments about scheduled run permissions Remove comments claiming scheduled runs can't have checks:write permission, as this isn't documented and may be incorrect. The actual fix was removing the explicit permission declaration from test.yml so it inherits from the caller, avoiding the workflow_call permissions validation failure. --- .github/workflows/nightly.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 1f70975..bc02d83 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -7,7 +7,7 @@ on: workflow_dispatch: inputs: skip_coverage_annotation: - description: 'Skip coverage annotation (scheduled runs must skip due to permission limits)' + description: 'Skip coverage annotation' required: false default: true type: boolean @@ -20,6 +20,4 @@ jobs: test: uses: ./.github/workflows/test.yml with: - # For scheduled runs, always skip annotation (can't get checks:write permission). - # For manual runs, use the input value (defaults to true, but can be set to false). skip_coverage_annotation: ${{ github.event_name == 'schedule' || inputs.skip_coverage_annotation }}