Skip to content

ci: grant security-events: write so the dogfood SARIF upload works#26

Merged
dmartinochoa merged 1 commit into
mainfrom
fix/ci-sarif-upload-permission
May 19, 2026
Merged

ci: grant security-events: write so the dogfood SARIF upload works#26
dmartinochoa merged 1 commit into
mainfrom
fix/ci-sarif-upload-permission

Conversation

@dmartinochoa
Copy link
Copy Markdown
Member

@dmartinochoa dmartinochoa commented May 19, 2026

Summary

Fixes the red CI on 0effd7e. The dogfood step's SARIF upload (github/codeql-action/upload-sarif) needs security-events: write; ci.yml was workflow-scoped to contents: read only.

The pipeline-check tool ran fine and the gate passed ([gate] PASS (7 effective finding(s) evaluated)). It's purely the upload-to-Security-tab step that errored:

Resource not accessible by integration

Why the PR for v1.0.0 was green

pull_request triggers on fork PRs run with read-only tokens — upload-sarif detects the missing scope and degrades silently. The release branch ran under that semantic and stayed green. The first real push: main trigger after the merge tried to upload for real and tripped.

Scope

Two lines at workflow level, mirroring what codeql.yml already grants:

permissions:
  contents: read
  security-events: write

No step in the CI job writes anything other than the SARIF upload; tightening to a per-job permissions block would just duplicate the same two lines for no defence-in-depth gain. publish.yml's permission model is independent and untouched.

Test plan

  • CI green on three-OS matrix
  • Dogfood step's "Upload SARIF" sub-step posts findings to the Security tab (visible on the post-merge push: main run)

🤖 Generated with Claude Code

@dmartinochoa @claude
ci: grant security-events: write so the dogfood SARIF upload works
8ddfffb 
The dogfood step (commit 5ee4cd0) runs dmartinochoa/pipeline-check
against this repo's own .github/workflows/, then hands the resulting
SARIF to github/codeql-action/upload-sarif so findings land on the
repo's Security tab. The upload needs security-events: write on the
GITHUB_TOKEN, but ci.yml was workflow-scoped to contents: read.

PR-event runs degrade gracefully (GitHub strips write tokens from
fork PRs anyway, so the action no-ops with a warning), which is why
this didn't trip on the release/1.0.0 PR matrix. The first push: main
trigger after that PR merged tried to upload for real and bailed with
"Resource not accessible by integration". CI on 0effd7e went red as a
result; the publish.yml run on v1.0.0 was unaffected (separate
workflow, separate trigger, separate permission block).

Workflow-level scope mirrors what codeql.yml already declares. No
single step in this job writes anything else; tightening to a per-job
permissions block would just duplicate the same two lines for no
defence-in-depth gain.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 19, 2026

Warning

Rate limit exceeded

@dmartinochoa has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 10 minutes and 33 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 71e717f6-6265-410f-9d87-f45de4ba59c4

📥 Commits

Reviewing files that changed from the base of the PR and between 0effd7e and 8ddfffb.

📒 Files selected for processing (1)
  • .github/workflows/ci.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/ci-sarif-upload-permission

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@dmartinochoa dmartinochoa merged commit 8f39fda into main May 19, 2026
10 checks passed
@dmartinochoa dmartinochoa deleted the fix/ci-sarif-upload-permission branch May 19, 2026 14:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dmartinochoa