fix(template-sync): grant caller job write so the run doesn't fail at startup

[devantler]

🤖 Generated by the Daily AI Assistant

Problem

The weekly 🔄 Template Sync schedule fired for the first time today (2026-06-01, a Monday) and the run failed at startup (startup_failure, run 26741819812) rather than skipping on the template repo as intended.

Root cause: the caller declares top-level permissions: {}, but the reusable template-sync.yaml job it calls requires contents: write + pull-requests: write to open the sync PR. A reusable workflow cannot be granted more permissions than its caller, so the call fails the reusable-workflow permission check during workflow setup — which happens before the job-level if guard can skip it on the template repo.

This is not just template-repo noise: the identical failure occurs in every tenant, where if: github.repository != …template is true and the job is meant to actually run. As shipped, the template's core sync feature is dead-on-arrival for all tenants created from it.

Fix

Grant the caller's template-sync job the two write scopes the reusable workflow requires, keeping the least-privilege top-level permissions: {} for the rest of the workflow. This matches the reusable-workflows README's own update-agent-skills caller example, which sets job-level contents: write + pull-requests: write on the calling job.

  template-sync:
    if: github.repository != 'devantler-tech/gitops-tenant-template'
    permissions:
      contents: write
      pull-requests: write
    uses: …/template-sync.yaml@… # v5.3.0

Validation

• actionlint .github/workflows/template-sync.yaml → exit 0
• YAML parses cleanly
• Workflow-only change; no scaffold/manifest touched. On merge the next scheduled (or workflow_dispatch) run will correctly skip on the template repo (guarded if) instead of failing at startup, and the synced workflow will have the permissions it needs to run in tenants.

Note for tenants

Existing tenants (e.g. ascoachingogvaner, wedding-app) carry their own copy of this caller; they will pick up the corrected permissions on the next template sync once this lands, or can be patched directly with the same two-line permissions: block.

[Copilot]

Pull request overview

Fixes the scheduled Template Sync GitHub Actions workflow startup failure by granting the calling job the minimal write permissions required by the referenced reusable workflow, while keeping workflow-wide permissions disabled.

Changes:

• Adds job-level permissions (contents: write, pull-requests: write) to the template-sync job so the reusable workflow can open PRs without failing at workflow setup time.
• Documents why the permissions are required (reusable workflow permission ceiling vs. caller).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.