fix(ci): grant permissions to reusable workflow calls

[andreatgretel]

📋 Summary

The permissions: {} added in #517 (CI supply chain hardening) restricts all jobs to zero permissions by default. The build-notebooks jobs in build-docs and pack-tutorials call the reusable build-notebooks.yml workflow but didn't override this, so GitHub Actions refused to start them (startup_failure). This broke the v0.5.7 release docs build and tutorial packing.

🔗 Related Issue

Fixes the v0.5.7 release Build docs and Pack tutorials startup failures.

🔄 Changes

• Add permissions: { actions: read, contents: write } to the build-notebooks reusable workflow job in build-docs.yml and pack-tutorials.yml
• These match the permissions the called workflow's job (build-notebooks.yml) already declares

🧪 Testing

• make test passes — N/A, CI-only change
• Unit tests added/updated — N/A, no testable logic
• E2E tests added/updated — will validate by triggering a workflow_dispatch of Build docs from the PR branch after merge

✅ Checklist

• Follows commit message conventions
• Commits are signed off (DCO)
• Architecture docs updated — N/A

[github-actions]

Code Review: PR #561

fix(ci): grant permissions to reusable workflow calls in build-docs and pack-tutorials

Author: @andreatgretel | Base: main | +6 / -0 across 2 files

---

Summary

This PR fixes a CI regression introduced by #517 (supply chain hardening), which set top-level permissions: {} on the build-docs and pack-tutorials workflows. That blanket restriction zeroed out permissions for all jobs, including the build-notebooks job that calls the reusable build-notebooks.yml workflow. GitHub Actions requires the caller to grant at least the permissions the called workflow's jobs need; without this override the jobs failed with startup_failure, breaking the v0.5.7 release docs build and tutorial packing.

The fix adds explicit permissions: { actions: read, contents: write } to the build-notebooks caller job in both workflows.

Findings

Correctness

• Permissions match the called workflow. build-notebooks.yml declares permissions: { actions: read, contents: write } on its build job (line 22-24). The caller-side permissions added here are identical — this is the minimum required set, following the principle of least privilege.
• Placement is correct. The permissions block is placed at the job level (under the uses: key), which is the correct location for overriding top-level permissions: {} on reusable workflow calls.
• No over-granting. Only actions: read and contents: write are granted — no broader scopes like write-all or unnecessary permissions.

Consistency

• Matches existing patterns. The deploy job in build-docs.yml (line 27-28) and the zip-and-upload job in pack-tutorials.yml (line 20-21) already declare job-level permissions. This PR follows the same pattern.

Potential Concerns

• None identified. This is a minimal, targeted fix that addresses a clear regression with no side effects.

Nits

• None. The YAML formatting is consistent with the rest of the workflow files.

Verdict

Approve. This is a clean, minimal fix for a CI regression. The granted permissions are the exact minimum required by the called workflow, the placement is correct per GitHub Actions semantics, and the change follows the existing patterns in these workflow files. No issues found.

[greptile-apps]

Greptile Summary

This PR fixes startup_failure errors in the build-notebooks reusable workflow calls within build-docs.yml and pack-tutorials.yml by granting permissions: { actions: read, contents: write } at the job level — precisely matching what build-notebooks.yml's own build job already declares. The fix is minimal, correct, and directly addresses the regression introduced by the permissions: {} supply-chain hardening in #517.

Confidence Score: 5/5

Safe to merge — targeted two-line fix per file, no logic changes.

The granted permissions (actions: read, contents: write) are an exact mirror of what build-notebooks.yml's build job already declares, following least-privilege at the caller level. No logic, secrets handling, or other workflows are affected.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/build-docs.yml	Adds permissions: { actions: read, contents: write } to the build-notebooks reusable workflow call, exactly matching the permissions the called workflow's job already declares.
.github/workflows/pack-tutorials.yml	Adds permissions: { actions: read, contents: write } to the build-notebooks reusable workflow call — same fix applied symmetrically.

Sequence Diagram

sequenceDiagram
    participant Trigger as Release / workflow_dispatch
    participant BD as build-docs.yml
    participant PT as pack-tutorials.yml
    participant BN as build-notebooks.yml (reusable)

    Trigger->>BD: fires
    Note over BD: permissions: {}  (top-level)
    BD->>BN: uses: build-notebooks.yml<br/>permissions: {actions: read, contents: write}
    Note over BN: job build:<br/>permissions: {actions: read, contents: write}
    BN-->>BD: artifact: notebooks
    BD->>BD: deploy job (contents: write)

    Trigger->>PT: fires
    Note over PT: permissions: {}  (top-level)
    PT->>BN: uses: build-notebooks.yml<br/>permissions: {actions: read, contents: write}
    BN-->>PT: artifact: notebooks
    PT->>PT: zip-and-upload (contents: write)

Loading

_{Reviews (2): Last reviewed commit: "Merge branch 'main' into andreatgretel/f..." | Re-trigger Greptile}