False positive for actions/missing-workflow-permissions on reusable workflow files

[Lawls91]

We are getting the actions/missing-workflow-permissions alert raised on reusable workflow files that only contain the "workflow_call" trigger.

Code samples or links to source code

name: "{REUSABLE WORKFLOW} workflow"
on:
  workflow_call:
    inputs:
      mode:
        required: true
        type: string

env:
  VERSION: '2025-06-23'

jobs:
  build:
    name: Build (${{ inputs.mode }})
    runs-on: self-hosted, windows
    timeout-minutes: 360

    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          clean: true
          fetch-depth: ${{ inputs.mode == 'ci' && '0' || '1' }}

URL to the alert on GitHub code scanning (optional)

https://github.com/github/codeql/blob/7a4b88fadc4d18e7b1d1194bd002c6dbab24a4f4/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql

Alert:

reusable workflow triggers:

[jketema]

Hi @Lawls91,

The case you're describing is explicitly excluded by the query. So there must be more going on in your case. Do all the calling workflows set permissions?

[Lawls91]

Hi @Lawls91,

The case you're describing is explicitly excluded by the query. So there must be more going on in your case. Do all the calling workflows set permissions?

Hey @jketema yeah there is only 1 calling workflow and it has permissions set:

Not sure if it makes a difference, but these are new files in a pull request (the workflow and the reusable workflow file)

[jketema]

Thanks for the additional info. I'm able to reproduce this now.

Not sure if it makes a difference, but these are new files in a pull request (the workflow and the reusable workflow file)

That shouldn't make a difference.

[jketema]

Fix here: #21636