Skip to content

fix: Add packages: write permission to publish workflow#7207

Merged
BYK merged 1 commit intomainfrom
fix/add-packages-write-permission
Feb 18, 2026
Merged

fix: Add packages: write permission to publish workflow#7207
BYK merged 1 commit intomainfrom
fix/add-packages-write-permission

Conversation

@BYK
Copy link
Member

@BYK BYK commented Feb 18, 2026

Summary

  • Add packages: write to the workflow-level permissions block in publish.yml

Problem

Commit 0269363 added explicit least-privilege permissions blocks to all workflow files (fixing CodeQL alerts). The publish.yml block was set to contents: read + issues: write, but packages: write was omitted.

When an explicit permissions block is declared, GitHub treats it as a strict allowlist — secrets.GITHUB_TOKEN loses any permissions not listed. This caused Docker pushes to ghcr.io to fail:

denied: installation not allowed to Write organization package

The secrets.GITHUB_TOKEN (passed as DOCKER_GHCR_IO_PASSWORD) is the only token that can authenticate to ghcr.io, so it must carry packages: write.

Fix

Add packages: write to the permissions block. No changes to Craft or any other files needed.

Fixes https://github.com/getsentry/publish/actions/runs/22119619739 and https://github.com/getsentry/publish/actions/runs/22119618913

@BYK BYK marked this pull request as ready for review February 18, 2026 21:15
@BYK BYK requested a review from a team as a code owner February 18, 2026 21:15
@BYK BYK merged commit 253d6b8 into main Feb 18, 2026
6 checks passed
@BYK BYK deleted the fix/add-packages-write-permission branch February 18, 2026 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BYK

Comments