CI: fix id-token permission for "Test wheels building"#820
Merged
dkropachev merged 1 commit intoscylladb:masterfrom Apr 15, 2026
Merged
Conversation
build-test.yml triggers on pull_request, which gives it id-token:none by default. lib-build-and-push.yml's upload_pypi job declares id-token:write, which exceeds the caller's cap and causes GitHub to reject the workflow at parse time — even though upload:false prevents upload_pypi from ever running. Fix: explicitly grant id-token:write to the test-wheels-build job so the permission cap satisfies the reusable workflow's requirement. Fixes scylladb#819
|
This also gives unnecessary permissions to the whole workflow, no? This job could run perfectly well without write permissions, but now it has them. |
dkropachev
approved these changes
Apr 15, 2026
Author
|
@Lorak-mmk This change only adds permissions: id-token: writeto that job, not the whole workflow. It does not grant general repository write permissions (e.g., |
Author
|
@Lorak-mmk Created issue #824 |
nikagra
added a commit
to nikagra/python-driver
that referenced
this pull request
Apr 17, 2026
…-build.yml Closes scylladb#824. Follow-up to scylladb#820. The upload_pypi job in lib-build-and-push.yml was never reachable: none of the four caller workflows pass upload: true. build-push.yml and publish-manually.yml already publish from their own separate jobs (necessary due to how PyPI Trusted Publishing embeds the caller workflow path in the OIDC token). Because the reusable workflow declared 'permissions: id-token: write' for upload_pypi, GitHub's static permission validation forced build-test.yml (a pull_request workflow, which defaults to id-token: none) to also declare id-token: write — granting unnecessary privileges to a job that only builds wheels. Changes: - Rename lib-build-and-push.yml -> lib-build.yml (it only builds now) - Remove upload input and upload_pypi job from the reusable workflow - Remove 'permissions: id-token: write' and 'with: upload: false' from build-test.yml (no longer needed) - Update all callers (build-push.yml, publish-manually.yml, build-pre-release.yml) to reference the new workflow path and drop upload: false from with: blocks - Replace TODO comments in build-push.yml and publish-manually.yml with an explanatory comment: the separate publish job is now intentional design, not a temporary workaround
dkropachev
pushed a commit
that referenced
this pull request
Apr 18, 2026
…-build.yml Closes #824. Follow-up to #820. The upload_pypi job in lib-build-and-push.yml was never reachable: none of the four caller workflows pass upload: true. build-push.yml and publish-manually.yml already publish from their own separate jobs (necessary due to how PyPI Trusted Publishing embeds the caller workflow path in the OIDC token). Because the reusable workflow declared 'permissions: id-token: write' for upload_pypi, GitHub's static permission validation forced build-test.yml (a pull_request workflow, which defaults to id-token: none) to also declare id-token: write — granting unnecessary privileges to a job that only builds wheels. Changes: - Rename lib-build-and-push.yml -> lib-build.yml (it only builds now) - Remove upload input and upload_pypi job from the reusable workflow - Remove 'permissions: id-token: write' and 'with: upload: false' from build-test.yml (no longer needed) - Update all callers (build-push.yml, publish-manually.yml, build-pre-release.yml) to reference the new workflow path and drop upload: false from with: blocks - Replace TODO comments in build-push.yml and publish-manually.yml with an explanatory comment: the separate publish job is now intentional design, not a temporary workaround
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #819.
build-test.ymlis triggered bypull_request, which implicitly grantsid-token: none. The reusablelib-build-and-push.ymlcontains anupload_pypijob declaringid-token: write. GitHub enforces permissions at parse time — before evaluating anyif:conditions — so the entire workflow is rejected even thoughupload: falsemeansupload_pypinever actually runs.Fix
Add
permissions: id-token: writeto thetest-wheels-buildjob inbuild-test.yml. This satisfies GitHub's static validation while keeping the runtime behaviour unchanged —upload_pypiis still skipped viaif: inputs.upload.Verification
Tested on PR #770 by temporarily applying this change; the
Test wheels buildingjobs transitioned from immediate parse-time failure to successful completion across all platforms (linux, linux-aarch64, macos-arm, macos-x86, windows).