[v3-2-test] Grant write permissions to scheduled CI upgrade check workflows (#65168) (#65176)

github-actions[bot] · potiuk · web-flow · commit ea2ae1c2223e · 2026-04-13T21:00:22.000+02:00
The scheduled upgrade check wrappers declared `contents: read`, which caps the permissions of the reusable `upgrade-check.yml` they call. That workflow needs `contents: write` and `pull-requests: write` to push the upgrade branch and open a draft PR, so every scheduled run failed immediately with startup_failure: The workflow is requesting 'contents: write, pull-requests: write', but is only allowed 'contents: read, pull-requests: none'. Raise the caller permissions to the ceiling required by the callee so the scheduled upgrade PR job can actually run. (cherry picked from commit 8291f37) Co-authored-by: Jarek Potiuk <jarek@potiuk.com>
diff --git a/.github/workflows/scheduled-upgrade-check-main.yml b/.github/workflows/scheduled-upgrade-check-main.yml
@@ -23,7 +23,8 @@ on:  # yamllint disable-line rule:truthy
     - cron: '0 6 * * 1,3,5'
   workflow_dispatch:
 permissions:
-  contents: read
+  contents: write
+  pull-requests: write
 jobs:
   upgrade-main:
     name: "[main] Upgrade"
diff --git a/.github/workflows/scheduled-upgrade-check-v3-2-test.yml b/.github/workflows/scheduled-upgrade-check-v3-2-test.yml
@@ -23,7 +23,8 @@ on:  # yamllint disable-line rule:truthy
     - cron: '0 6 * * 2,4'
   workflow_dispatch:
 permissions:
-  contents: read
+  contents: write
+  pull-requests: write
 jobs:
   upgrade-v3-2-test:
     name: "[v3-2-test] Upgrade"
