fix(ci): add permissions block to pr-checks.yml orchestrator #35
Description
Summary
The pr-checks.yml orchestrator workflow fails with startup_failure because it lacks a permissions: block required for calling reusable workflows.
Severity: Critical (blocks all PR validation)
Problem
When reusable workflows are called via uses: ./.github/workflows/xxx.yml, they can only access permissions explicitly granted by the calling workflow. Currently pr-checks.yml has no permissions: block, so all permissions default to none.
Error message:
"The nested job 'validate' is requesting 'actions: read, issues: write, pull-requests: write, id-token: write', but is only allowed 'actions: none, issues: none, pull-requests: none, id-token: none'."
Affected Workflows
The following reusable workflows require permissions:
| Workflow | Permissions Needed |
|---|---|
component-validation.yml |
contents: read, pull-requests: write, issues: write, id-token: write, actions: read |
version-check.yml |
contents: read, id-token: write |
claude-pr-review.yml |
contents: read, pull-requests: write, issues: write, id-token: write, actions: read |
Solution
Add a permissions: block to pr-checks.yml with the union of all required permissions:
permissions:
contents: read
pull-requests: write
issues: write
id-token: write
actions: readLocation
- File:
.github/workflows/pr-checks.yml - Line: After
concurrency:block (around line 12)
Acceptance Criteria
-
permissions:block added topr-checks.yml - All reusable workflow calls succeed
-
All Checks Passjob runs and reports status
Related
- Introduced in: 95c87cf
- Discovered via: fix(agent-development): correct SKILL.md description to third-person format #34