fix: remove artifact-metadata:write from reusable workflows#142
Conversation
Reusable workflows cannot request permissions that callers don't grant — GitHub fails with a validation error. Removing artifact-metadata:write from the reusable workflows avoids breaking existing callers. The permission remains in the example files so callers can adopt it at their own pace.
There was a problem hiding this comment.
Pull request overview
This PR aims to prevent reusable Docker build/promote workflows from failing validation when callers haven’t yet granted the new artifact-metadata: write permission, while keeping that permission in example workflows so adopters can opt in over time.
Changes:
- Removed
artifact-metadata: writefrom the reusable Docker build-and-push workflows’permissions. - Removed the
permissionsblock from the reusable Docker promote workflows (JFrog + Docker Hub).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/docker-promote-jfrog.yaml | Removes workflow-level permissions for the JFrog promotion reusable workflow. |
| .github/workflows/docker-promote-dockerhub.yaml | Removes workflow-level permissions for the Docker Hub promotion reusable workflow. |
| .github/workflows/docker-build-push-jfrog.yaml | Drops artifact-metadata: write from the build/push reusable workflow permissions. |
| .github/workflows/docker-build-push-dockerhub.yaml | Drops artifact-metadata: write from the build/push reusable workflow permissions. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -40,12 +40,6 @@ on: | |||
| required: false | |||
| default: false | |||
|
|
|||
There was a problem hiding this comment.
The workflow-level permissions block was removed entirely. This reusable workflow uses OIDC (via jfrog/setup-jfrog-cli) and actions/attest-build-provenance, which require at least id-token: write and attestations: write (and typically contents: read). Without setting these here, callers must provide them explicitly, turning this into a breaking change and potentially causing runtime failures rather than a clear permissions validation error. Consider restoring the permissions block and only dropping artifact-metadata: write (per PR intent), or explicitly moving the required permissions to a job-level permissions stanza with the same effect.
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write |
| @@ -33,12 +33,6 @@ on: | |||
| description: "Docker Hub password" | |||
| required: true | |||
|
|
|||
There was a problem hiding this comment.
The workflow-level permissions block was removed entirely. This workflow runs actions/attest-build-provenance, which needs id-token: write and attestations: write (and contents: read for checkout). If callers don’t set these permissions explicitly, the workflow will fail at runtime; this is a broader breaking change than just removing artifact-metadata: write. Consider re-adding the minimal required permissions here and only removing artifact-metadata: write.
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write |
Summary
artifact-metadata: writefrom the 4 reusable workflows (build + promote) to avoid breaking callers that don't yet grant this permissionFollows up on #141.
Test plan
artifact-metadata: write