[BUG](ci) Vnext rebase workflow needs broader permissions#541
Open
John McCall (lowlydba) wants to merge 1 commit into
Open
[BUG](ci) Vnext rebase workflow needs broader permissions#541John McCall (lowlydba) wants to merge 1 commit into
John McCall (lowlydba) wants to merge 1 commit into
Conversation
This is paired with an increase in scoped permissions for the underlying GHA. Not currently broken, but there are yet-to-be-triggered paths (like vnext containing a workflow change) that could error. Signed-off-by: John McCall <john@overturemaps.org>
🗺️ Schema reference docs preview is live!
Note ♻️ This preview updates automatically with each push to this PR. |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens the Rebase vnext onto main GitHub Actions workflow by expanding the GitHub App installation token’s explicitly-scoped permissions so the rebase/force-push succeeds even when vnext contains changes under .github/workflows/.
Changes:
- Adds
permission-workflows: writeto theactions/create-github-app-tokenstep so pushes that modify workflow files are permitted. - Improves inline documentation/comments explaining why each app-token permission is needed.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Connie Sun (connieksun)
approved these changes
Jun 4, 2026
John McCall (lowlydba)
requested review from
Eric Godwin (ericgodwin),
Jeff Underwood (jeffdefacto) and
Stephen Epps (stepps00)
and removed request for
Eric Godwin (ericgodwin)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The
Rebase vnext onto mainhad been failing until the GitHub app permissions were updated, and is now working.This pull request makes additional workflow-level permission changes to ensure that all code paths are accounted for, whereas before there may have been latent permission errors lurking.
Reference
N/A
Testing
The workflow has been successfully re-run post updating of the App permissions, confirming it is fixed.