From 8ddfffbe819b5d52a21972f07a919b316ede699b Mon Sep 17 00:00:00 2001 From: Daniel Martin <56157528+dmartinochoa@users.noreply.github.com> Date: Tue, 19 May 2026 16:41:01 +0200 Subject: [PATCH] ci: grant security-events: write so the dogfood SARIF upload works The dogfood step (commit 5ee4cd0) runs dmartinochoa/pipeline-check against this repo's own .github/workflows/, then hands the resulting SARIF to github/codeql-action/upload-sarif so findings land on the repo's Security tab. The upload needs security-events: write on the GITHUB_TOKEN, but ci.yml was workflow-scoped to contents: read. PR-event runs degrade gracefully (GitHub strips write tokens from fork PRs anyway, so the action no-ops with a warning), which is why this didn't trip on the release/1.0.0 PR matrix. The first push: main trigger after that PR merged tried to upload for real and bailed with "Resource not accessible by integration". CI on 0effd7e went red as a result; the publish.yml run on v1.0.0 was unaffected (separate workflow, separate trigger, separate permission block). Workflow-level scope mirrors what codeql.yml already declares. No single step in this job writes anything else; tightening to a per-job permissions block would just duplicate the same two lines for no defence-in-depth gain. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/ci.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4fc4e44..03c3a28 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,6 +14,11 @@ on: permissions: contents: read + # The dogfood step's SARIF upload (github/codeql-action/upload-sarif) + # writes findings to the repo's Security tab. PR triggers degrade + # gracefully without this (GitHub strips write tokens for forks), so + # the gap only surfaced on the first push: main run. + security-events: write jobs: check: