Copilot commented on code in PR #50047:
URL: https://github.com/apache/arrow/pull/50047#discussion_r3337402106
##########
.github/workflows/cpp_windows.yml:
##########
@@ -34,6 +34,7 @@ on:
type: string
permissions:
+ actions: read
contents: read
Review Comment:
This reusable workflow includes a `stash/save` step, but the workflow token
is restricted to `actions: read`. Cache save requires `actions: write`;
otherwise cache updates on `main` will fail (currently masked by
`continue-on-error`).
##########
.github/workflows/cpp.yml:
##########
@@ -63,6 +63,7 @@ concurrency:
cancel-in-progress: true
permissions:
+ actions: read
contents: read
Review Comment:
`stash/save` steps later in this workflow will not be able to write/update
caches if the workflow token is restricted to `actions: read`. With the current
permissions, cache saves on `main` will fail (and are masked by
`continue-on-error`), preventing the intended ccache / Docker volume cache
refresh.
##########
.github/workflows/cpp_extra.yml:
##########
@@ -541,6 +576,8 @@ jobs:
contains(fromJSON(needs.check-labels.outputs.ci-extra-labels || '[]'),
'CI: Extra: C++')
timeout-minutes: 240
permissions:
+ actions: read
+ contents: read
packages: write
Review Comment:
This job includes a `stash/save` step for ccache, but the job permissions
restrict the token to `actions: read`. Cache save requires `actions: write`;
without it, the save will fail and the cache won't be updated.
##########
.github/workflows/cpp_extra.yml:
##########
@@ -204,6 +211,8 @@ jobs:
contains(fromJSON(needs.check-labels.outputs.ci-extra-labels || '[]'),
'CI: Extra: C++')
timeout-minutes: 240
permissions:
+ actions: read
+ contents: read
# This is for using GitHub Packages for vcpkg cache
packages: write
Review Comment:
This job runs `stash/save` to persist Docker volumes on `main`, but the job
permissions restrict the token to `actions: read`. Cache save requires
`actions: write`, otherwise the save will fail and caches will never be
refreshed.
##########
.github/workflows/cpp_extra.yml:
##########
@@ -169,6 +168,14 @@ jobs:
done
fi
archery docker run ${{ matrix.run-options || '' }} ${{ matrix.image
}}
+ - name: Save Docker Volumes
+ if: ${{ !cancelled() && github.ref == 'refs/heads/main' }}
+ continue-on-error: true
+ uses:
apache/infrastructure-actions/stash/save@0ba14156c9f4c3cfbe4b0c9f36339ab0f8d81e53
+ with:
+ path: .docker
+ key: extra-${{ matrix.image }}
+ include-hidden-files: true
Review Comment:
`stash/save` here will run only on `main`, but the workflow-level
permissions are set to `actions: read` (see `permissions:` near the top of this
file). That prevents cache writes, so this save step will fail and Docker
volume caches won't ever be refreshed unless `actions: write` is granted at the
workflow or job level.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
