fix[ci]: add id-token:write to cpp-tests-classification.yml#2100
Merged
Conversation
The `test-cpp` job in `cpp-tests-classification.yml` calls `setup-aws-prebuild` (which assumes an AWS IAM role via OIDC) and `setup-vcpkg` (which configures the S3-backed vcpkg binary cache via `VCPKG_BINARY_SOURCES=x-aws,s3://...`). Both actions require GitHub to issue an OIDC token for the job, which only happens when the job (or its workflow) declares `id-token: write`. The workflow's top-level `permissions` block only has `contents: read`. Without `id-token: write`, `aws-actions/configure-aws-credentials` cannot exchange a GitHub OIDC token for AWS credentials, so every `test-cpp` matrix leg fails immediately with: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers This bug was hidden until now because the label-gate that was added in #2087 was missing from the original addon PR (#1727), so the `cpp-tests` job had always been skipped on PRs. Fix: add a job-level `permissions` block with `id-token: write` on the `test-cpp` job. This matches the existing pattern in `cpp-test-coverage-tts-ggml.yml`, which has the same AWS OIDC requirement and declares the permission identically. Other cpp-tests workflows (embed, llm, diffusion) are not affected: they bootstrap vcpkg directly from GitHub and do not use the S3 binary cache, so they have no OIDC dependency. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
kartiksain
approved these changes
May 18, 2026
Contributor
Tier-based Approval Status |
Alok-Ranjan23
approved these changes
May 18, 2026
olyasir
approved these changes
May 18, 2026
Preview deployments for qvac-docs-staging ⚡️
Commit: Deployment ID: Static site name: |
Contributor
Author
|
/review |
Proletter
pushed a commit
that referenced
this pull request
May 24, 2026
The `test-cpp` job in `cpp-tests-classification.yml` calls `setup-aws-prebuild` (which assumes an AWS IAM role via OIDC) and `setup-vcpkg` (which configures the S3-backed vcpkg binary cache via `VCPKG_BINARY_SOURCES=x-aws,s3://...`). Both actions require GitHub to issue an OIDC token for the job, which only happens when the job (or its workflow) declares `id-token: write`. The workflow's top-level `permissions` block only has `contents: read`. Without `id-token: write`, `aws-actions/configure-aws-credentials` cannot exchange a GitHub OIDC token for AWS credentials, so every `test-cpp` matrix leg fails immediately with: Credentials could not be loaded, please check your action inputs: Could not load credentials from any providers This bug was hidden until now because the label-gate that was added in #2087 was missing from the original addon PR (#1727), so the `cpp-tests` job had always been skipped on PRs. Fix: add a job-level `permissions` block with `id-token: write` on the `test-cpp` job. This matches the existing pattern in `cpp-test-coverage-tts-ggml.yml`, which has the same AWS OIDC requirement and declares the permission identically. Other cpp-tests workflows (embed, llm, diffusion) are not affected: they bootstrap vcpkg directly from GitHub and do not use the S3 binary cache, so they have no OIDC dependency. Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a fix. The
test-cppjob incpp-tests-classification.ymlcallssetup-aws-prebuild(which assumes an AWS IAM role via OIDC) andsetup-vcpkg(which configures the S3-backed vcpkg binary cache viaVCPKG_BINARY_SOURCES=x-aws,s3://...). Both actions require GitHub to issue an OIDC token for the job, which only happens when the job (or its workflow) declaresid-token: write.The workflow's top-level
permissionsblock only hascontents: read. Withoutid-token: write,aws-actions/configure-aws-credentialscannot exchange a GitHub OIDC token for AWS credentials, so everytest-cppmatrix leg fails immediately with:Credentials could not be loaded, please check your action inputs:
Could not load credentials from any providers
This bug was hidden until now because the label-gate that was added in #2087 was missing from the original addon PR (#1727), so the
cpp-testsjob had always been skipped on PRs.Fix: add a job-level
permissionsblock withid-token: writeon thetest-cppjob. This matches the existing pattern incpp-test-coverage-tts-ggml.yml, which has the same AWS OIDC requirement and declares the permission identically.Other cpp-tests workflows (embed, llm, diffusion) are not affected: they bootstrap vcpkg directly from GitHub and do not use the S3 binary cache, so they have no OIDC dependency.