🧪🚑 Enable security-events @ cron+release

webknjaz · webknjaz · commit 61d55936c720 · 2026-06-15T13:41:52.000+02:00
This patch sets the top-level `security-events: write` privilege in the nightly and release GHA CI/CD workflows where they call `ci.yml`, which in turn calls the upstream Zizmor workflow requiring it. The change intends to fix the following error [[1]] we've recently started encountering due to internal changes within GH: ```console Invalid workflow file: .github/workflows/cron.yml#L9 The workflow is not valid. .github/workflows/cron.yml (Line: 9, Col: 3): Error calling workflow 'jazzband/pip-tools/.github/workflows/ci.yml@91636f5'. The nested job 'zizmor' is requesting 'security-events: write', but is only allowed 'security-events: none'. ``` [1]: https://github.com/jazzband/pip-tools/actions/runs/27537892831/workflow
diff --git a/.github/workflows/cron.yml b/.github/workflows/cron.yml
@@ -8,6 +8,10 @@ on:
 jobs:
   main:
     name: CI
+
+    permissions:
+      security-events: write  # Needed by the nested Zizmor workflow
+
     uses: ./.github/workflows/ci.yml
     with:
       cpython-versions: >-
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -59,6 +59,10 @@ jobs:
         github.event.action == 'published'
         && 'release' || 'nightly'
       }}]
+
+    permissions:
+      security-events: write  # Needed by the nested Zizmor workflow
+
     uses: ./.github/workflows/ci.yml
     with:
       release-version: ${{ github.ref_name }}
