Error when using workflow: ”The nested job 'genmatrix' is requesting 'pull-requests: read'“

### Module version(s) affected

^1.9

### Description

I have used the workflow as described with default setup pointing to tag “v1”, both in a new repository and in an older one (both containing Silverstripe modules):

- https://github.com/martinheise/silverstripe-download-codes
- https://github.com/martinheise/silverstripe-responsiveimages

For both I get an error message now when running the CI workflow related to permission (details see below).

As the older repository used to work this way without code changes in the meantime, I tried several configurations using different tags – it seems the issue appears with branch 1.9, while 1.8. still runs fine.


### How to reproduce

Setup a basic CI workflow as described on https://github.com/silverstripe/gha-ci/ in some repository:

```
name: CI

on:
  push:
  pull_request:
  workflow_dispatch:

jobs:
  ci:
    name: CI
    uses: silverstripe/gha-ci/.github/workflows/ci.yml@v1
```
and trigger the CI action manually or by pushing a branch.

The action aborts with error message:

> The workflow is not valid. .github/workflows/ci.yml (Line: 9, Col: 3): Error calling workflow 'silverstripe/gha-ci/.github/workflows/ci.yml@v1'. The nested job 'genmatrix' is requesting 'pull-requests: read', but is only allowed 'pull-requests: none'. .github/workflows/ci.yml (Line: 9, Col: 3): Error calling workflow 'silverstripe/gha-ci/.github/workflows/ci.yml@v1'. The nested job 'patchrelease' is requesting 'contents: write', but is only allowed 'contents: read'.

Changing the referenced tag/branch for the included job to e.g.:
```
silverstripe/gha-ci/.github/workflows/ci.yml@1.8
```

Using branch 1.8 here still works and the job runs successfully, new branches 1.9, 1.10, 1.11, 1.12 fail with the same message.


### Possible Solution

I’m not sure if this about wrong permission inside gha-ci module, or if some different setup in the repository using it is required because of some change – in the latter case just the documentation would need enhancement.

### Additional Context

Thanks for checking!

### Validations

- [X] Check that there isn't already an issue that reports the same bug
- [X] Double check that your reproduction steps work in a fresh installation of [`silverstripe/installer`](https://github.com/silverstripe/silverstripe-installer) (with any code examples you've provided)

## Notes
- See https://github.com/silverstripe/gha-ci/pull/138#issuecomment-2254720726 - we're opting to split the patch tagging as its own workflow, so we can have `contents:read` instead of `contents:write` in the ci.yml workflow.

## PRs
- https://github.com/silverstripe/gha-tag-release/pull/25
- https://github.com/silverstripe/module-standardiser/pull/66

## After merging, reassign to Guy so they can do these steps
- [x] Set default branch for `gha-tag-release` to `2`
- [x] Manually tag `2.0.0` of `gha-tag-release`
- [x] Manually tag `v2` of `gha-tag-release`
- [x] Run module standardiser against the next-patch branch

## Next set of PRs

> [!IMPORTANT]
> DO NOT merge these until the PRs above are merged, and the steps above are complete.

- https://github.com/bringyourownideas/silverstripe-maintenance/pull/232
- https://github.com/bringyourownideas/silverstripe-composer-update-checker/pull/92
- https://github.com/colymba/GridFieldBulkEditingTools/pull/298
- https://github.com/silverstripe/cwp-agencyextensions/pull/129
- https://github.com/silverstripe/cwp-starter-theme/pull/259
- https://github.com/silverstripe/cwp-watea-theme/pull/195
- https://github.com/silverstripe/developer-docs/pull/548
- https://github.com/silverstripe/silverstripe-elemental/pull/1227
- https://github.com/dnadesign/silverstripe-elemental-userforms/pull/96
- https://github.com/silverstripe/silverstripe-admin/pull/1803
- https://github.com/silverstripe/silverstripe-asset-admin/pull/1478
- https://github.com/silverstripe/silverstripe-assets/pull/623
- https://github.com/silverstripe/silverstripe-auditor/pull/87
- https://github.com/silverstripe/silverstripe-blog/pull/771
- https://github.com/silverstripe/silverstripe-campaign-admin/pull/317
- https://github.com/silverstripe/silverstripe-cms/pull/2979
- https://github.com/silverstripe/silverstripe-config/pull/119
- https://github.com/silverstripe/silverstripe-contentreview/pull/246
- https://github.com/silverstripe/silverstripe-documentconverter/pull/91
- https://github.com/silverstripe/silverstripe-elemental-bannerblock/pull/157
- https://github.com/silverstripe/silverstripe-elemental-fileblock/pull/58
- https://github.com/silverstripe/silverstripe-environmentcheck/pull/109
- https://github.com/silverstripe/silverstripe-errorpage/pull/114
- https://github.com/silverstripe/silverstripe-externallinks/pull/137
- https://github.com/silverstripe/silverstripe-framework/pull/11317
- https://github.com/silverstripe/silverstripe-graphql/pull/595
- https://github.com/silverstripe/silverstripe-gridfieldqueuedexport/pull/117
- https://github.com/silverstripe/silverstripe-hybridsessions/pull/110
- https://github.com/silverstripe/silverstripe-iframe/pull/92
- https://github.com/silverstripe/silverstripe-installer/pull/376
- https://github.com/silverstripe/silverstripe-ldap/pull/85
- https://github.com/silverstripe/silverstripe-linkfield/pull/311
- https://github.com/silverstripe/silverstripe-lumberjack/pull/162
- https://github.com/silverstripe/silverstripe-mimevalidator/pull/81
- https://github.com/silverstripe/silverstripe-realme/pull/152
- https://github.com/silverstripe/silverstripe-session-manager/pull/206
- https://github.com/silverstripe/recipe-authoring-tools/pull/39
- https://github.com/silverstripe/recipe-blog/pull/56
- https://github.com/silverstripe/recipe-cms/pull/89
- https://github.com/silverstripe/recipe-collaboration/pull/35
- https://github.com/silverstripe/recipe-content-blocks/pull/45
- https://github.com/silverstripe/recipe-core/pull/98
- https://github.com/silverstripe/recipe-form-building/pull/38
- https://github.com/silverstripe/recipe-plugin/pull/45
- https://github.com/silverstripe/recipe-reporting-tools/pull/47
- https://github.com/silverstripe/recipe-services/pull/38
- https://github.com/silverstripe/recipe-kitchen-sink/pull/68
- https://github.com/silverstripe/silverstripe-registry/pull/102
- https://github.com/silverstripe/silverstripe-reports/pull/190
- https://github.com/silverstripe/silverstripe-restfulserver/pull/131
- https://github.com/silverstripe/silverstripe-securityreport/pull/85
- https://github.com/silverstripe/silverstripe-segment-field/pull/119
- https://github.com/silverstripe/silverstripe-sharedraftcontent/pull/246
- https://github.com/silverstripe/silverstripe-siteconfig/pull/170
- https://github.com/silverstripe/silverstripe-sitewidecontent-report/pull/100
- https://github.com/silverstripe/silverstripe-spamprotection/pull/122
- https://github.com/silverstripe/silverstripe-staticpublishqueue/pull/198
- https://github.com/silverstripe/silverstripe-subsites/pull/585
- https://github.com/silverstripe/silverstripe-tagfield/pull/300
- https://github.com/silverstripe/silverstripe-taxonomy/pull/120
- https://github.com/silverstripe/silverstripe-textextraction/pull/99
- https://github.com/silverstripe/silverstripe-userforms/pull/1310
- https://github.com/silverstripe/vendor-plugin/pull/80
- https://github.com/silverstripe/silverstripe-versioned/pull/457
- https://github.com/silverstripe/silverstripe-versioned-admin/pull/355
- https://github.com/silverstripe/silverstripe-versionfeed/pull/116
- https://github.com/silverstripe/silverstripe-simple/pull/86
- https://github.com/symbiote/silverstripe-advancedworkflow/pull/542
- https://github.com/symbiote/silverstripe-gridfieldextensions/pull/409
- https://github.com/symbiote/silverstripe-multivaluefield/pull/115
- https://github.com/symbiote/silverstripe-queuedjobs/pull/438
- https://github.com/tractorcow-farm/silverstripe-fluent/pull/868
- https://github.com/silverstripe/silverstripe-mfa/pull/554
- https://github.com/silverstripe/silverstripe-totp-authenticator/pull/168
- https://github.com/silverstripe/silverstripe-webauthn-authenticator/pull/192
- https://github.com/silverstripe/silverstripe-login-forms/pull/192
- https://github.com/silverstripe/silverstripe-dynamodb/pull/68
- https://github.com/silverstripe/gha-ci/pull/142
- https://github.com/silverstripe/recipe-testing/pull/23
- https://github.com/silverstripe/silverstripe-behat-extension/pull/278
- https://github.com/silverstripe/cow/pull/259
- https://github.com/silverstripe/module-standardiser/pull/67
- https://github.com/silverstripe/silverstripe-tx-translator/pull/33
- https://github.com/silverstripe/markdown-php-codesniffer/pull/11
- https://github.com/silverstripe/silverstripe-standards/pull/10
- https://github.com/silverstripe/documentation-lint/pull/8
- https://github.com/silverstripe/supported-modules/pull/39
- https://github.com/silverstripe/webpack-config/pull/77
- https://github.com/silverstripe/api.silverstripe.org/pull/120
- https://github.com/silverstripe/silverstripe-userhelp-content/pull/185
- https://github.com/silverstripe/gha-action-ci/pull/11
- https://github.com/silverstripe/gha-add-pr-to-project/pull/10
- https://github.com/silverstripe/gha-auto-tag/pull/21
- https://github.com/silverstripe/gha-dispatch-ci/pull/17
- https://github.com/silverstripe/gha-gauge-release/pull/12
- https://github.com/silverstripe/gha-generate-matrix/pull/100
- https://github.com/silverstripe/gha-issue/pull/13
- https://github.com/silverstripe/gha-keepalive/pull/15
- https://github.com/silverstripe/gha-merge-up/pull/41
- https://github.com/silverstripe/gha-pull-request/pull/15
- https://github.com/silverstripe/gha-run-tests/pull/34
- https://github.com/silverstripe/gha-tag-release/pull/26
- https://github.com/silverstripe/gha-trigger-ci/pull/9
- https://github.com/silverstripe/gha-update-js/pull/29
- https://github.com/silverstripe/gha-action-ci/pull/12
- https://github.com/silverstripe/gha-auto-tag/pull/22
- https://github.com/silverstripe/gha-ci/pull/143
- https://github.com/silverstripe/gha-dispatch-ci/pull/18
- https://github.com/silverstripe/gha-generate-matrix/pull/101
- https://github.com/silverstripe/gha-issue/pull/14
- https://github.com/silverstripe/gha-keepalive/pull/16
- https://github.com/silverstripe/gha-merge-up/pull/42
- https://github.com/silverstripe/gha-pull-request/pull/16
- https://github.com/silverstripe/gha-run-tests/pull/35
- https://github.com/silverstripe/gha-tag-release/pull/27
- https://github.com/silverstripe/gha-trigger-ci/pull/10
- https://github.com/silverstripe/gha-update-js/pull/30
- https://github.com/silverstripe/markdown-php-codesniffer/pull/12
- https://github.com/silverstripe/silverstripe-standards/pull/11
- https://github.com/silverstripe/documentation-lint/pull/9
- https://github.com/silverstripe/gha-ci/pull/139
- https://github.com/silverstripe/gha-action-ci/pull/10
- https://github.com/silverstripe/gha-auto-tag/pull/20
- https://github.com/silverstripe/supported-modules/pull/38
- https://github.com/silverstripe/module-standardiser/pull/68

After this set of PRs is merged, reassign to Guy to:
- [x] Tag new minor releases for the various affected gha repos
- [x] Redeploy [elvis](https://github.com/silverstripe/github-issue-search-client) so it picks up on the changes
- [x] Archive gha-gauge-release

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Error when using workflow: ”The nested job 'genmatrix' is requesting 'pull-requests: read'“ #137

Module version(s) affected

Description

How to reproduce

Possible Solution

Additional Context

Validations

Notes

PRs

After merging, reassign to Guy so they can do these steps

Next set of PRs

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Error when using workflow: ”The nested job 'genmatrix' is requesting 'pull-requests: read'“ #137

Description

Module version(s) affected

Description

How to reproduce

Possible Solution

Additional Context

Validations

Notes

PRs

After merging, reassign to Guy so they can do these steps

Next set of PRs

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions