Workflows vs actions: which permission is correct?

I want to have a workflow in my repository that periodically updates other workflows in the repository on a semi-weekly basis, so I’m trying to use job control permissions for GITHUB_TOKEN.

I have a MWE here: Actions · zkamvar/cautious-octo-chainsaw · GitHub

I first tried to use actions: write because that was documented in the blog post, but when I do that, I get an error message saying that I need the workflow permission:

! [remote rejected] HEAD -> update-workflow-2021-05-04-00-49 (refusing to allow a GitHub App to create or update workflow `.github/workflows/remove-branch.yaml` without `workflows` permission)

I then tried to use the workflows: write permission and then I get a new error that says the workflow is not valid because workflows is not a recognized permissions value.

The workflow is not valid. 

github/workflows/update.yml (Line: 18, Col: 7): Unexpected value 'workflows'

How can I write a workflow that has permissions to make pull requests updating other workflows?

1 Like

The permissions block for the GITHUB_TOKEN allows you to set the GitHub App permissions for the token. The actions permission only grants you some permissions for accessing Actions APIs, but not access to updating workflow files. This is to prevent cases of Actions triggering an infinite loop.

If you want to create a workflow that can update workflow files then you’ll need to provide a Personal Access Token as a secret that grants the workflow scope and use that in place of the provided token.

2 Likes