Skip to content

QVAC-16473 infra: fix startup_failure in on-pr-test-sdk.yml — add missing id-token permission#1704

Merged
lauripiisang merged 1 commit into
mainfrom
fix/on-pr-test-sdk-permissions
Apr 22, 2026
Merged

QVAC-16473 infra: fix startup_failure in on-pr-test-sdk.yml — add missing id-token permission#1704
lauripiisang merged 1 commit into
mainfrom
fix/on-pr-test-sdk-permissions

Conversation

@lauripiisang

@lauripiisang lauripiisang commented Apr 22, 2026

Copy link
Copy Markdown
Contributor

🎯 What problem does this PR solve?

  • on-pr-test-sdk.yml fails with startup_failure every time it triggers — no jobs run at all
  • Error: "The nested job 'android-tests' is requesting 'id-token: write', but is only allowed 'id-token: none'" (same for ios-tests)
  • Root cause: caller workflow permissions are the ceiling for all nested reusable workflows. test-sdk.yml android/ios jobs need id-token: write for AWS OIDC, but on-pr-test-sdk.yml didn't grant it.

📝 How does it solve it?

  • Adds id-token: write to the top-level permissions block in on-pr-test-sdk.yml
  • Verified this is the only missing permission across the full chain: on-pr-test-sdk.yml -> test-sdk.yml -> test-{desktop,android,ios}-sdk.yml

🧪 How was it tested?

@lauripiisang
infra: add id-token:write permission to on-pr-test-sdk.yml
cec09b1 
Nested android/ios jobs in test-sdk.yml require id-token:write for AWS
OIDC credential exchange. The caller workflow permissions are the
ceiling for all nested reusable workflows — without this, GitHub
rejects the entire workflow chain at startup with startup_failure.
@lauripiisang lauripiisang requested review from a team as code owners April 22, 2026 11:13
@github-actions

github-actions Bot commented Apr 22, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Tier-based Approval Status

**PR Tier:** TIER1

**Current Status:** ✅ APPROVED

**Requirements:**
- 1 Team Member approval ✅ (1/1)
- 1 Team Lead OR Management approval ✅ (1/1)



---
*This comment is automatically updated when reviews change.*

@lauripiisang lauripiisang merged commit 4f96d02 into main Apr 22, 2026
11 of 12 checks passed
@lauripiisang lauripiisang deleted the fix/on-pr-test-sdk-permissions branch April 22, 2026 11:37
@NamelsKing NamelsKing added the safe-to-test Reviewer has verified safety of packages & github actions in this PR label Apr 22, 2026
Proletter pushed a commit that referenced this pull request May 24, 2026
@lauripiisang
infra: add id-token:write permission to on-pr-test-sdk.yml (#1704)
8f16938 
Nested android/ios jobs in test-sdk.yml require id-token:write for AWS
OIDC credential exchange. The caller workflow permissions are the
ceiling for all nested reusable workflows — without this, GitHub
rejects the entire workflow chain at startup with startup_failure.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NamelsKing NamelsKing NamelsKing approved these changes

@Victor-Rodzko Victor-Rodzko Victor-Rodzko approved these changes

Assignees

No one assigned

Labels

safe-to-test Reviewer has verified safety of packages & github actions in this PR tier1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lauripiisang @NamelsKing @Victor-Rodzko