Skip to content

Commit

Permalink
Add repository-projects:read to release job token
Browse files Browse the repository at this point in the history
After submariner-io#470, the release GitHub Action workflow is failing to add labels
to PRs.

```
gh pr edit --add-label e2e-all-k8s \
submariner-io/submariner#2032
GraphQL: Your token has not been granted the required scopes to execute
this query. The 'login' field requires one of the following scopes:
['read:org'], but your token has only been granted the:
['admin:repo_hook', 'delete:packages', 'notifications', 'repo',
'workflow', 'write:discussion', 'write:packages'] scopes. Please modify
your token's scopes at: https://github.com/settings/tokens.
INFO: Didn't label 'e2e-all-k8s', continuing without it.
```

The only explination I can find of that permisson is:

> read:org Read org and team membership, read org projects

I can also see that permission is a subset of admin:org. It seems to be
different than `read:project Read access of projects` somehow.

It's not clear which GITHUB_TOKEN permisison we can set relates to those
token permissions.

docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

It doesn't seem possible set all permissions to read and only some to
write, as setting any specific permission overrides read-all.

For now, trying the only permission that seems even vaguely related.

Signed-off-by: Daniel Farrell <[email protected]>
  • Loading branch information
dfarrell07 committed Sep 21, 2022
1 parent 69b039b commit 3169e64
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,10 @@ on:

permissions:
contents: write
issues: write
packages: write
pull-requests: write
issues: write
repository-projects: read

jobs:
release:
Expand Down

0 comments on commit 3169e64

Please sign in to comment.