Skip to content

[ci] grants write permission to create branch in remote#11269

Open
chunhtai wants to merge 2 commits intoflutter:mainfrom
chunhtai:add-write
Open

[ci] grants write permission to create branch in remote#11269
chunhtai wants to merge 2 commits intoflutter:mainfrom
chunhtai:add-write

Conversation

@chunhtai
Copy link
Contributor

@chunhtai chunhtai commented Mar 16, 2026

The branch release workflow failed with

Parsing package "packages/packages/go_router"...
  Creating new branch "go_router-23134404669-1"...
  Pushing branch go_router-23134404669-1 to remote origin...
Unhandled exception:
ProcessException: remote: Permission to flutter/packages.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/flutter/packages/': The requested URL returned error: 403
  Command: git push origin go_router-23134404669-1

https://github.com/flutter/packages/actions/runs/23134404669/job/67194648551

Pre-Review Checklist

If you need help, consider asking for advice on the #hackers-new channel on Discord.

Note: The Flutter team is currently trialing the use of Gemini Code Assist for GitHub. Comments from the gemini-code-assist bot should not be taken as authoritative feedback from the Flutter team. If you find its comments useful you can update your code accordingly, but if you are unsure or disagree with the feedback, please feel free to wait for a Flutter team member's review for guidance on which automated comments should be addressed.

Footnotes

  1. Regular contributors who have demonstrated familiarity with the repository guidelines only need to comment if the PR is not auto-exempted by repo tooling. 2

@gemini-code-assist
Copy link

gemini-code-assist bot commented Mar 16, 2026

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

@chunhtai chunhtai requested a review from stuartmorgan-g March 16, 2026 20:32
@chunhtai chunhtai added the CICD Run CI/CD label Mar 16, 2026
@stuartmorgan-g
Copy link
Collaborator

stuartmorgan-g commented Mar 17, 2026
edited
Loading

Giving the entire job full write permissions to the repo seems very risky. Can we refactor to have a specific step do nothing but create the branch, and give only that step write access?

/cc @jtmcdole for potential Infra input on access scoping.

@chunhtai chunhtai added CICD Run CI/CD and removed CICD Run CI/CD labels Mar 17, 2026
@chunhtai
Copy link
Contributor Author

chunhtai commented Mar 17, 2026

There isn't a good way to set granular permission for each step unless we use Personal access token. The best we can do is to separate out different job and gave different permission for each job. However, each job will be different run instance, and won't share the environment setup. This means the source code checkout and repo tool setup will have to be called for each job.

I separated out the branch creation and pull request creation to be separated job to have slightly better permission control.

If we want anything better, we will need to set up PAT, probably using the @fluttergithubbot .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stuartmorgan-g stuartmorgan-g Awaiting requested review from stuartmorgan-g

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

CICD Run CI/CD

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chunhtai @stuartmorgan-g