Skip to content

fix(ci): fix upstream-sync workflow failure#80

Merged
MaxRink merged 2 commits into
mainfrom
fix/upstream-sync-workflow-permissions
May 21, 2026
Merged

fix(ci): fix upstream-sync workflow failure#80
MaxRink merged 2 commits into
mainfrom
fix/upstream-sync-workflow-permissions

Conversation

@MaxRink
Copy link
Copy Markdown
Collaborator

@MaxRink MaxRink commented Apr 14, 2026

Summary

The upstream-sync workflow has been failing since 2026-04-01 on every scheduled and push-triggered run.

Root Cause

The upstream repo (k8snetworkplumbingwg/whereabouts) periodically modifies its own CI workflow files (e.g. .github/workflows/image-build.yml). When the sync workflow merges those changes and tries to push the sync branch, GitHub rejects it:

! [remote rejected] upstream-sync/2026-04-12 -> upstream-sync/2026-04-12
  (refusing to allow a GitHub App to create or update workflow
   `.github/workflows/image-build.yml` without `workflows` permission)

Why workflows: write in the permissions block didn't help:
GITHUB_TOKEN is a GitHub App installation token. GitHub does not grant workflows write scope to GITHUB_TOKEN regardless of what the workflow declares — this is a platform-level security restriction. The permission was silently ignored.

Evidence from run 24300654813 (scheduled, 10s duration):

  • Checkout succeeded ✓
  • Upstream fetch succeeded ✓
  • 2 commits ahead detected ✓
  • Merge succeeded (with conflict in .github/workflows/image-build.yml)
  • Push rejected with the error above ✗

The 0-second push-triggered failures (runs 24415883030, 24415865745, etc.) were phantom runs from GitHub's internal workflow-file change tracking — they immediately fail with 0 jobs because they were triggered by a push containing workflow file changes.

Fix

After the upstream merge (clean or conflicting), restore the fork's own .github/workflows/ directory from origin/main before pushing. This ensures the sync branch never contains upstream workflow changes, avoiding the push rejection.

  • Upstream CI changes are excluded from the sync PR with a note in the PR body
  • Maintainers must manually review upstream workflow diffs and apply relevant changes
  • The ineffective workflows: write permission declaration is removed

Testing

  • YAML syntax validated: python3 -c "import yaml; yaml.safe_load(open('.github/workflows/upstream-sync.yml'))"
  • No Go source files changed — go build ./... passes ✓
  • Only .github/workflows/upstream-sync.yml modified

@MaxRink @sisyphus-dev-ai
fix(ci): strip upstream workflow files from sync PR to fix push rejec…
ddd88ec 
…tion

GITHUB_TOKEN cannot push .github/workflows/ changes regardless of the
'workflows: write' permission declaration — GitHub enforces this because
the token is a GitHub App installation token without the 'workflows' scope.

The upstream k8snetworkplumbingwg/whereabouts repo periodically modifies its
own CI workflows (e.g. image-build.yml), and the sync branch containing those
changes is rejected at push time with:
  'refusing to allow a GitHub App to create or update workflow without workflows permission'

Fix: after the upstream merge (clean or conflicting), restore the fork's own
.github/workflows/ directory from origin/main so the sync branch never includes
upstream workflow file changes. Also removes the ineffective 'workflows: write'
permission which was silently ignored by GitHub.

Fixes: upstream-sync run failures since 2026-04-01

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
Copilot AI review requested due to automatic review settings April 14, 2026 23:09
Copilot AI reviewed Apr 14, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes the fork’s upstream-sync GitHub Actions workflow so it can successfully push sync branches even when upstream changes .github/workflows/*, which GitHub rejects for GITHUB_TOKEN pushes.

Changes:

  • Removes the ineffective workflows: write permission from the workflow.
  • After merging upstream, restores .github/workflows/ from origin/main (clean merge and conflict-merge paths) to prevent push rejection.
  • Updates PR body generation to note when upstream workflow changes were excluded from the sync PR.

Comment thread .github/workflows/upstream-sync.yml
Comment thread .github/workflows/upstream-sync.yml
@MaxRink
fix(ci): address review comments — use --no-ff to guard amend, fix co…
6430bc8 
…nflict body when only workflow files conflicted
@MaxRink MaxRink merged commit b70b9d4 into main May 21, 2026
30 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MaxRink