fix(ci): grant permissions to reusable workflow calls

[andreatgretel]

📋 Summary

The permissions: {} added in #517 (CI supply chain hardening) restricts all jobs to zero permissions by default. The build-notebooks jobs in build-docs and pack-tutorials call the reusable build-notebooks.yml workflow but didn't override this, so GitHub Actions refused to start them (startup_failure). This broke the v0.5.7 release docs build and tutorial packing.

🔗 Related Issue

Fixes the v0.5.7 release Build docs and Pack tutorials startup failures.

🔄 Changes

• Add permissions: { actions: read, contents: write } to the build-notebooks reusable workflow job in build-docs.yml and pack-tutorials.yml
• These match the permissions the called workflow's job (build-notebooks.yml) already declares

🧪 Testing

• make test passes — N/A, CI-only change
• Unit tests added/updated — N/A, no testable logic
• E2E tests added/updated — will validate by triggering a workflow_dispatch of Build docs from the PR branch after merge

✅ Checklist

• Follows commit message conventions
• Commits are signed off (DCO)
• Architecture docs updated — N/A

[github-actions]

Code Review: PR #561

fix(ci): grant permissions to reusable workflow calls in build-docs and pack-tutorials

Author: @andreatgretel | Base: main | +6 / -0 across 2 files

---

Summary

This PR fixes a CI regression introduced by #517 (supply chain hardening), which set top-level permissions: {} on the build-docs and pack-tutorials workflows. That blanket restriction zeroed out permissions for all jobs, including the build-notebooks job that calls the reusable build-notebooks.yml workflow. GitHub Actions requires the caller to grant at least the permissions the called workflow's jobs need; without this override the jobs failed with startup_failure, breaking the v0.5.7 release docs build and tutorial packing.

The fix adds explicit permissions: { actions: read, contents: write } to the build-notebooks caller job in both workflows.

Findings

Correctness

• Permissions match the called workflow. build-notebooks.yml declares permissions: { actions: read, contents: write } on its build job (line 22-24). The caller-side permissions added here are identical — this is the minimum required set, following the principle of least privilege.
• Placement is correct. The permissions block is placed at the job level (under the uses: key), which is the correct location for overriding top-level permissions: {} on reusable workflow calls.
• No over-granting. Only actions: read and contents: write are granted — no broader scopes like write-all or unnecessary permissions.

Consistency

• Matches existing patterns. The deploy job in build-docs.yml (line 27-28) and the zip-and-upload job in pack-tutorials.yml (line 20-21) already declare job-level permissions. This PR follows the same pattern.

Potential Concerns

• None identified. This is a minimal, targeted fix that addresses a clear regression with no side effects.

Nits

• None. The YAML formatting is consistent with the rest of the workflow files.

Verdict

Approve. This is a clean, minimal fix for a CI regression. The granted permissions are the exact minimum required by the called workflow, the placement is correct per GitHub Actions semantics, and the change follows the existing patterns in these workflow files. No issues found.

[greptile-apps]

Greptile Summary

This PR fixes startup_failure errors in the build-notebooks jobs of build-docs.yml and pack-tutorials.yml by explicitly granting actions: read and contents: write permissions to those jobs when calling the build-notebooks.yml reusable workflow. The added permissions exactly match what the reusable workflow's build job already declares, satisfying GitHub Actions' requirement that callers grant any permissions the called workflow needs, even when the caller has permissions: {} globally.

Confidence Score: 5/5

Safe to merge — the fix is minimal, correct, and aligns caller permissions exactly with what the reusable workflow already declares.

Both changes add exactly the permissions (actions: read, contents: write) that build-notebooks.yml's build job already declares, with no new permissions introduced beyond what the callee requires. No logic, security, or correctness issues found.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/build-docs.yml	Adds actions: read and contents: write permissions to the build-notebooks reusable workflow call, matching the permissions declared in build-notebooks.yml's build job.
.github/workflows/pack-tutorials.yml	Adds actions: read and contents: write permissions to the build-notebooks reusable workflow call, matching the permissions declared in build-notebooks.yml's build job.

Sequence Diagram

sequenceDiagram
    participant BD as build-docs.yml
    participant PT as pack-tutorials.yml
    participant BN as build-notebooks.yml

    Note over BD: permissions: {}
    Note over PT: permissions: {}

    BD->>BN: uses: build-notebooks.yml<br/>permissions: {actions: read, contents: write}
    activate BN
    Note over BN: build job<br/>permissions: {actions: read, contents: write}
    BN-->>BD: artifact: notebooks
    deactivate BN

    PT->>BN: uses: build-notebooks.yml<br/>permissions: {actions: read, contents: write}
    activate BN
    Note over BN: build job<br/>permissions: {actions: read, contents: write}
    BN-->>PT: artifact: notebooks
    deactivate BN

Loading

_{Reviews (1): Last reviewed commit: "fix(ci): grant permissions to reusable w..." | Re-trigger Greptile}