GitHub Actions "workflow is requesting ... but is only allowed" for a called workflow in CI
A called workflow's GITHUB_TOKEN permissions are capped by the caller. If the reusable workflow requests a scope the caller did not grant, the run fails with "is requesting X, but is only allowed Y".
What this error means
The run fails with "the workflow is requesting 'packages: write', but is only allowed 'packages: read'" (or similar) when a reusable workflow needs a broader scope than the caller grants.
The workflow is requesting 'packages: write', but is only allowed 'packages: read'.
The reusable workflow "./.github/workflows/publish.yml" cannot exceed the
permissions granted by the calling workflow.Common causes
The caller grants a narrower scope
The reusable workflow needs packages: write, but the caller's top-level or job-level permissions only grant packages: read. A callee cannot widen the token.
Default read-only permissions in the caller
When the caller relies on the default restricted token, any write scope the callee needs is denied.
How to fix it
Grant the scope in the caller
- Read which scope the reusable workflow requests.
- Add that scope to the calling job or the caller top-level permissions.
- Re-run so the callee token is granted the needed scope.
jobs:
publish:
permissions:
packages: write
contents: read
uses: ./.github/workflows/publish.ymlDeclare needed permissions in the callee too
The reusable workflow should also declare the permissions its jobs use, so the effective token is the intersection the caller allows.
# publish.yml
permissions:
packages: write
contents: readHow to prevent it
- Grant reusable-workflow scopes in the calling job permissions.
- Declare the permissions a reusable workflow needs in its own file.
- Remember the effective token is capped by the caller.