`needs`/`if` should prevent errors about nested jobs violating permissions

[jsoref]

runner/src/Sdk/WorkflowParser/Conversion/PermissionsHelper.cs

Line 43 in c96dcd4

context.Error(workflowJob.Id, $"Error calling workflow '{workflowJob.Ref}'. The nested job '{embeddedJob.Id!.Value}' is requesting '{requestedStr}', but is only allowed '{allowedStr}'.");

https://github.com/check-spelling-sandbox/rancher-dashboard/actions/runs/20184527336/workflow

Annotations

1 error
Invalid workflow file: .github/workflows/test-extension-workflows-release-2.8.yml#L63
The workflow is not valid. .github/workflows/test-extension-workflows-release-2.8.yml (Line: 63, Col: 3): Error calling workflow 'rancher/dashboard/.github/workflows/release-shell-pkg.yaml@release-2.8'. The nested job 'build' is requesting 'packages: write', but is only allowed 'packages: read'.

---

Repository authors will do this (this repository did it repeatedly) and there doesn't seem to be a good reason to demand authors get this right.

There doesn't appear to be any way to guard against this, as even if doesn't help:

https://github.com/check-spelling-sandbox/rancher-dashboard/actions/runs/20199790260/workflow

Annotations

1 error
Invalid workflow file: .github/workflows/test-extension-workflows-release-2.9.yml#L64
The workflow is not valid. .github/workflows/test-extension-workflows-release-2.9.yml (Line: 64, Col: 3): Error calling workflow 'rancher/dashboard/.github/workflows/release-shell-pkg.yaml@release-2.9'. The nested job 'build' is requesting 'packages: write', but is only allowed 'packages: read'.