fix: add packages:write permission to reusable-docker workflow (#320)

sapientpants · claude · web-flow · commit 105d75e1343e · 2025-10-11T20:57:35.000Z
The v1.10.17 build failed when pushing multi-platform Docker images to GHCR with error: 'denied: installation not allowed to Create organization package' Root cause: reusable-docker.yml was missing packages:write permission needed to push to GHCR. While main.yml has this permission, reusable workflows require explicit permissions and do not inherit from callers. This fix adds packages:write to reusable-docker.yml permissions. The permission is only exercised when pushing to GHCR (multi-platform builds with save-artifact). PR builds remain unaffected (single-platform, no GHCR push). Fixes the failure in main workflow run #18434400565 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.changeset/add-packages-write-permission.md b/.changeset/add-packages-write-permission.md
@@ -0,0 +1,18 @@
+---
+'sonarqube-mcp-server': patch
+---
+
+Fix Docker image publishing by adding packages:write permission to workflows
+
+The v1.10.17 build failed when attempting to push multi-platform Docker images to GitHub Container Registry (GHCR) with error: "denied: installation not allowed to Create organization package"
+
+Root cause: The reusable-docker.yml workflow was missing the `packages: write` permission needed to push images to GHCR. While the main workflow had this permission, reusable workflows require explicit permissions and do not inherit from their callers.
+
+Additionally, the PR workflow calls reusable-docker.yml, so it must also grant the permission even though PR builds don't use it (they use single-platform without push).
+
+This fix adds `packages: write` to:
+
+- `.github/workflows/reusable-docker.yml` - Required to push multi-platform images to GHCR
+- `.github/workflows/pr.yml` - Required to call reusable-docker.yml (permission not used in practice)
+
+The permission is only exercised when the workflow actually pushes to GHCR (multi-platform builds with save-artifact=true). PR builds continue to use single-platform without pushing to GHCR.
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -22,10 +22,12 @@ concurrency:
 # contents: read - Read code for analysis
 # security-events: write - Upload security findings
 # actions: read - Access workflow artifacts
+# packages: write - Required by reusable-docker.yml (not used in PR builds)
 permissions:
   contents: read
   security-events: write
   actions: read
+  packages: write
 
 jobs:
   # =============================================================================
diff --git a/.github/workflows/reusable-docker.yml b/.github/workflows/reusable-docker.yml
@@ -56,6 +56,7 @@ on:
 permissions:
   contents: read # Read source code
   security-events: write # Upload Trivy scan results
+  packages: write # Push Docker images to GitHub Container Registry
 
 jobs:
   docker:
