GitHub workflow failing all of a sudden as permission is missing. But why?

Question

I've a workflow on my repo that checks for updates every other day from the upstream and if the upstream has any updates i.e., new commits, my workflow will fetch updates from it and rebase my repo with my changes on top of it.

The workflow worked fine until yesterday morning with no issues. All of a sudden, the workflow now fails to update my repo with an error that states workflows permission is missing. Full error below:

![remote rejected]    main -> main (refusing to allow a GitHub App to create or update workflow `.github/workflows/diffuse.yml` without `workflows` permission)

I understand I need to give it the workflow permission but I've a question: Why is this error even being thrown at me all of a sudden when I've neither created a GitHub App nor created a PAT and it was working fine without these.

YAML Code:

      - name: Setup Git
        run: git config --global user.email ${{ secrets.EMAIL }} && git config --global user.name username

      - name: Fetch from Upstream
        run: |
          git remote add upstream https://github.com/upstream-repo/repo.git
          git fetch upstream --tags
          
          # Some extra code here

          if [ $has_new_commits == "true" ]; then
            git checkout main
            git rebase upstream/main || git diff
            git push -f origin main
            echo "Rebase successful!"
          else
            echo "ERROR: No commits to be synced!"
            exit 1
          fi

  build_app:
    needs: update_fork
    uses: ./.github/workflows/build.yml
    secrets: inherit

I did tried checking the repo and the settings to see whether I had previously created an App for it by mistake or not. No, I have NEVER created any app for this to give permission. At the repo level, every settings is as expected and intact.
I didn't even change the code to break.

Did GitHub do any changes in their backend that broke my workflow? How can I get my workflow running again?

Answer 1

The only very recent change (yesterday, June 16th 2023) regarding tokens is:

GitHub Actions – Securing OpenID Connect (OIDC) token permissions in reusable workflows (Jun. 2023)

For securely enabling OpenID Connect (OIDC) in your reusable workflows, we are now making the permissions more restrictive.

If you need to fetch an OIDC token generated within a reusable (called) workflow that is outside your enterprise/organization, then the permissions setting for id-token should now be explicitly set to write at the caller workflow level or in the specific job that calls the reusable workflow.

permissions:
id-token: write # This is required for requesting the JWT

This change would ensure that the OIDC token generated in the called workflow is allowed to be consumed in the caller workflows only when intended.

Learn more about permission settings to enable OIDC in your workflows

But I fail to see how it is related to your current error.

I reported myself the last policy change in Sept. 2022 which was relevant for this kind of error.

Your error was reported here, as you must have seen: a PAT with workflow permission, and used in the token field of actions/checkout should be enough for your action to work.
Nothing in GitHub Status would explain this change, though.

---

As noted by the OP in the comments

I fetched the latest update to my local again and started to inspect for diffuse.yml which is a file that never existed before and I believe, it is failing because of that.

That diffuse.yml file was added by the upstream to monitor the file size changes and I now need to wait until they push another update to see whether that fixed that issue (I removed the file as I don't need it on my fork).

The addition of a GitHub workflow file would indeed explain why this permission level is now required.