fix: update permissions for welcome workflow to avoid 403 error #181

aniketpati1121 · 2025-11-25T17:07:31Z

This PR fixes the 403 "Resource not accessible by integration" error
in the "Welcome new contributors" workflow.

Changes:

Updated contents permission from read to write
Ensured pull_requests and issues have proper write access

This allows the actions/first-interaction action to successfully post
welcome comments on new issues and PRs.

fixes #179

Signed-off-by: Aniket Patil <aniketpatil2027@gmail.com>

coveralls · 2025-11-25T17:10:50Z

Pull Request Test Coverage Report for Build 19715244518

Details

0 of 0 changed or added relevant lines in 0 files are covered.
No unchanged relevant lines lost coverage.
Overall coverage remained the same at 66.578%

Totals
Change from base Build 19671581001:	0.0%
Covered Lines:	2504
Relevant Lines:	3761

💛 - Coveralls

andreyvelich · 2025-11-25T17:59:30Z

.github/workflows/welcome-new-contributors.yaml

+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write


Thanks @aniketpati1121!
I think @kramaranya originally tried to use PR target, but it doesn't work: #82

Did we miss the contents: write permission?

Thanks @aniketpati1121! I think @kramaranya originally tried to use PR target, but it doesn't work: #82

Did we miss the contents: write permission?

Thanks @andreyvelich! Yes, we added contents: write permission and updated the workflow to use pull_request_target, so it should now successfully post comments on new PRs and issues.

Do you need to remove the permission at the Workflow level (e.g. L11-L13)?

We are only using job-level permissions under welcome job, so no workflow-level permissions are set. This should be sufficient for the action to post comments successfully.

SGTM, can you remove these lines in your PR:

sdk/.github/workflows/welcome-new-contributors.yaml

Lines 11 to 14 in 8672d5f

permissions:

issues: write

pull-requests: write

?

Hm, that might work. I'm thinking whether we should just add contents: write at the workflow level instead and keep other permissions there as well? Similar to https://github.com/HugoBlox/hugo-blox-builder/blob/0ef515fbaeeda95259fa77e817b4538e84bf6a9e/.github/workflows/community-welcome.yml#L12-L15 and https://github.com/actions/first-interaction/blob/main/README.md?plain=1#L39-L41

Please let me know if anything else is needed.

@aniketpati1121 Can you move contents: write to the workflow level permission (e.g. L40)?

@aniketpati1121 Can you move contents: write to the workflow level permission (e.g. L40)?

Updated the workflow by moving contents: write to the workflow-level permissions

Signed-off-by: Aniket Patil <aniketpatil2027@gmail.com>

andreyvelich · 2025-11-26T19:38:27Z

Thanks @aniketpati1121!
/lgtm
/approve

google-oss-prow · 2025-11-26T19:38:34Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: andreyvelich

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [andreyvelich]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

…flow#181) * fix: update permissions for welcome workflow to avoid 403 errors Signed-off-by: Aniket Patil <aniketpatil2027@gmail.com> * fix: remove unnecessary permissions, keep only contents: write Signed-off-by: Aniket Patil <aniketpatil2027@gmail.com> * fix: move contents: write to workflow-level permissions Signed-off-by: Aniket Patil <aniketpatil2027@gmail.com> * fix: replace pull_request with pull_request_target Signed-off-by: Aniket Patil <aniketpatil2027@gmail.com> --------- Signed-off-by: Aniket Patil <aniketpatil2027@gmail.com>

fix: update permissions for welcome workflow to avoid 403 errors

1ebf6f3

Signed-off-by: Aniket Patil <aniketpatil2027@gmail.com>

google-oss-prow bot requested review from kramaranya and szaher November 25, 2025 17:07

google-oss-prow bot added the size/XS label Nov 25, 2025

Merge branch 'main' into chore/fix-welcome-workflow

8672d5f

Signed-off-by: Aniket Patil <aniketpatil2027@gmail.com>

andreyvelich reviewed Nov 25, 2025

View reviewed changes

aniketpati1121 added 3 commits November 25, 2025 23:49

fix: remove unnecessary permissions, keep only contents: write

3ae13ce

Signed-off-by: Aniket Patil <aniketpatil2027@gmail.com>

fix: move contents: write to workflow-level permissions

41c31e2

Signed-off-by: Aniket Patil <aniketpatil2027@gmail.com>

fix: replace pull_request with pull_request_target

0d56b62

Signed-off-by: Aniket Patil <aniketpatil2027@gmail.com>

google-oss-prow bot assigned andreyvelich Nov 26, 2025

google-oss-prow bot added the lgtm label Nov 26, 2025

google-oss-prow bot added the approved label Nov 26, 2025

google-oss-prow bot merged commit 53e744e into kubeflow:main Nov 26, 2025
13 of 14 checks passed

google-oss-prow bot added this to the v0.3 milestone Nov 26, 2025

fix: update permissions for welcome workflow to avoid 403 error #181

fix: update permissions for welcome workflow to avoid 403 error #181

Uh oh!

Conversation

aniketpati1121 commented Nov 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

coveralls commented Nov 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Pull Request Test Coverage Report for Build 19715244518

Details

💛 - Coveralls

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

kramaranya Nov 25, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

andreyvelich commented Nov 26, 2025

Uh oh!

google-oss-prow bot commented Nov 26, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

aniketpati1121 commented Nov 25, 2025 •

edited

Loading

coveralls commented Nov 25, 2025 •

edited

Loading

kramaranya Nov 25, 2025 •

edited

Loading