Is it possible to evaluate permissions after if?

[git-developer]

Select Topic Area

Question

Body

Consider the following simplified use case:

$ cat .github/workflows/trigger.yml

name: Trigger
on:
  workflow_dispatch:

jobs:
  job:
    uses: ./.github/workflows/deploy.yml
    with:
      registry: dockerhub

$ cat .github/workflows/deploy.yml

on:
  workflow_call:
    inputs:
      registry:
        type: string

jobs:
  ghcr:
    if: inputs.registry == 'ghcr'
    permissions:
      packages: write
    runs-on: ubuntu-latest
    steps:
      - run: echo Deploy to GHCR
  dockerhub:
    if: inputs.registry != 'ghcr'
    runs-on: ubuntu-latest
    steps:
      - run: echo Deploy to Docker Hub

Running the workflow Trigger results in an error message:

The workflow is not valid. .github/workflows/trigger.yml (Line: 6, Col: 3): Error calling workflow 'git-developer/gh-demo/.github/workflows/deploy.yml@64c5038ded77419ad18a47a2d71093abe8cf8a9b'. The nested job 'ghcr' is requesting 'packages: write', but is only allowed 'packages: read'.

I didn't expect this because the condition for job ghcr is not satisfied. I didn't find anything about this behavior in the docs. Is there a specific reason for this behavor, or is it a bug?

[git-developer]

The problem does not occur when workflow permissions are changed from default ("Read repository contents and packages permissions") to read/write in the repository settings. So apparently the permission elevation of the GITHUB_TOKEN seems not to work in combination with if.

[git-developer]

GitHub Support pointed out that it makes a difference whether permissions are defined in the calling workflow or the called workflow.

When defined in the caller workflow (trigger.yml in the example above), the permissions entry defines the permissions granted for the workflow (including all called workflows). These permissions override the default "Workflow permissions" configured in the repository settings. When defined in a called workflow (deploy.yml in the example above), it restricts the permissions from the caller. It is not possible to elevate permissions in a called workflow.

Albeit that, the following trigger workflow fails when run with default inputs:

name: Trigger
on:
  workflow_dispatch:
    inputs:
      registry:
        type: string
        default: dockerhub

jobs:
  ghcr:
    if: inputs.registry == 'ghcr'
    permissions:
      packages: write
    uses: ./.github/workflows/deploy.yml
    with:
      registry: ${{ inputs.registry }}

  dockerhub:
    if: inputs.registry != 'ghcr'
    uses: ./.github/workflows/deploy.yml
    with:
      registry: ${{ inputs.registry }}

Error message:

Invalid workflow file: .github/workflows/trigger.yml#L18
The workflow is not valid. .github/workflows/trigger.yml (Line: 18, Col: 3): Error calling workflow 'git-developer/gh-demo/.github/workflows/deploy.yml@fdf28d525c496dfbcb1044537b167ef9678700ca'. The nested job 'ghcr' is requesting 'packages: write', but is only allowed 'packages: read'.

[git-developer]

Quote from a discussion with the GitHub Support:

The permission is evaluated before the if condition. It is set in the Set up job step. This is why the job still fails.

That explains the behavior.

It would be nice if this could be changed so that permissions are evaluated after if conditions.