Skip to content

bug: Write access permission overwritten by step.env #722

Open
Open
bug: Write access permission overwritten by step.env#722

Description

@fuguesoft
fuguesoft
opened on Jun 26, 2026

Specs

[x] Operating System: NixOS 26.05
[x] Desktop Environment: niriWM
[x] Terminal Emulator: foot
[x] Shell: fish 4.6.0
[x] Software Version: v9

Description

Unable to set env without somehow overwriting all permissions in script. I've
attached different script versions below along with the errors they generate.

Steps to reproduce

  1. Add an env section to a step that uses with.script
  2. Observe that the workflow loses access to the repo contents even with global
    write access set

Expected behavior

I should be able to add the ${{ github.ref_name }} in my step.env and
reference it in my env.script. Instead, somehow global write permissions are
lost.

Screenshots

Logs

Config/Environment

Error:

Unhandled error: SyntaxError: Unexpected number

Code:

Details 
name: Publish Resume PDF as Release Asset

run-name: Publish Resume PDF as Release Asset

permissions:
  actions: write
  contents: write

on:
  push:
    tags:
      - 'v*.*'

jobs: 
  Generate-Publish-PDF:
    runs-on: ubuntu-latest
    steps:
      - name: checkout
        uses: actions/checkout@v7
      - name: install dependencies
        run: |
          sudo apt update
          sudo apt install texlive texlive-latex-extra pandoc
      - name: generate tag
        run: |
          echo "tag=$(date +%F)-0" >> "$GITHUB_ENV"
      - name: push tag
        uses: actions/github-script@v9
        with:
          script: |
            const version = ${{ github.ref_name }}
            const ver = version.replace('.', '-')
            github.rest.git.createRef({
              owner: context.repo.owner,
              repo: context.repo.repo,
              ref: `refs/tags/release-${ver}`,
              sha: context.sha
            })
      - name: generate pdf
        run: |
          pandoc README.md --variable colorlinks=true -o Test-Resume.pdf
      - name: publish release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh release create $version Test-Resume.pdf
          for draft in $(gh release list --limit 999 | grep -i draft | cut -f 1); do \
            gh release delete $draft; \
          done

Error:

Unhandled error: HttpError: Resource not accessible by integration - https://docs.github.com/rest/git/refs#create-a-reference

Code:

Details 
name: Publish Resume PDF as Release Asset

run-name: Publish Resume PDF as Release Asset

permissions:
  actions: write
  contents: write

on:
  push:
    # branches:
    #   - main
    tags:
      - 'v*.*'

jobs: 
  Generate-Publish-PDF:
    runs-on: ubuntu-latest
    steps:
      - name: checkout
        uses: actions/checkout@v7
      - name: install dependencies
        run: |
          sudo apt update
          sudo apt install texlive texlive-latex-extra pandoc
      - name: generate tag
        run: |
          echo "tag=$(date +%F)-0" >> "$GITHUB_ENV"
      - name: push tag
        uses: actions/github-script@v9
        env:
          VERSION: ${{ github.ref_name }}
        with:
          script: |
            const version = process.env.VERSION
            github.rest.git.createRef({
              owner: context.repo.owner,
              repo: context.repo.repo,
              ref: `refs/tags/release-${ver}`,
              sha: context.sha
            })
      - name: generate pdf
        run: |
          pandoc README.md --variable colorlinks=true -o Test-Resume.pdf
      - name: publish release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh release create $version Test-Resume.pdf
          for draft in $(gh release list --limit 999 | grep -i draft | cut -f 1); do \
            gh release delete $draft; \
          done

Error:

Invalid workflow file: .github/workflows/original.yml#L1
(Line: 31, Col: 9): Unexpected value 'permissions'

Code:

Details 
name: Publish Resume PDF as Release Asset

run-name: Publish Resume PDF as Release Asset

permissions:
  actions: write
  contents: write

on:
  push:
    # branches:
    #   - main
    tags:
      - 'v*.*'

jobs: 
  Generate-Publish-PDF:
    runs-on: ubuntu-latest
    steps:
      - name: checkout
        uses: actions/checkout@v7
      - name: install dependencies
        run: |
          sudo apt update
          sudo apt install texlive texlive-latex-extra pandoc
      - name: generate tag
        run: |
          echo "tag=$(date +%F)-0" >> "$GITHUB_ENV"
      - name: push tag
        uses: actions/github-script@v9
        permissions:
          actions: write
          contents: write
        env:
          VERSION: ${{ github.ref_name }}
        with:
          script: |
            const version = process.env.VERSION
            github.rest.git.createRef({
              owner: context.repo.owner,
              repo: context.repo.repo,
              ref: `refs/tags/release-${ver}`,
              sha: context.sha
            })
      - name: generate pdf
        run: |
          pandoc README.md --variable colorlinks=true -o Test-Resume.pdf
      - name: publish release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh release create $version Test-Resume.pdf
          for draft in $(gh release list --limit 999 | grep -i draft | cut -f 1); do \
            gh release delete $draft; \
          done

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions