Control permissions does not allow adding workflow files

With excitement I read the latest addition to control the permissions granted to the GITHUB_TOKEN secret.

I do have a workflow that adds another workflow file to a repository. Up until now, I use a custom Personal Access Token with workflows permission in order to achieve that. I was hoping that this addition would allow me to get rid of this PAT by using the following permissions.

  actions: write
  contents: write

but it turns out it doesn’t work.

[remote rejected] temp-branch -> main (refusing to allow a GitHub App to create or update workflow `.github/workflows/runner-4.yml` without `workflows` permission)

error: failed to push some refs to ''

I wonder if this is expected behavior, given that I set actions to write or do I misinterpret this permission?

1 Like

Hi @stefanbuck! I believe this is expected behaviour for this permission. Changing these permissions allows you to scope how much you can interact with the API of the underlying GitHub App, but this app doesn’t have the scope required to update workflow files without the workflow permission, which isn’t currently configurable here. The actions permission currently allows you to interact with various aspects of workflows on your repository, but doesn’t allow you to update workflow files.

If you need your workflow to be able to create or modify workflow files then you’ll need to continue to use a PAT that has the workflow permision.

1 Like