From 7f7456c4888e3e08dd86b814bc56a166133cf180 Mon Sep 17 00:00:00 2001 From: hyperpolymath <6759885+hyperpolymath@users.noreply.github.com> Date: Tue, 2 Jun 2026 20:05:00 +0100 Subject: [PATCH] fix(ci): add missing actions:read perm to scan reusables MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The hypatia-scan + secret-scanner reusables consume third-party actions (codeql-action/upload-sarif and gitleaks-action) that need permissions the reusables didn't grant. Reusable workflow permission blocks OVERRIDE the caller's, so adding perms at the wrapper is a no-op — the fix must live here at source. hypatia-scan-reusable.yml — workflow-level: + actions: read Lets `codeql-action/upload-sarif` call GET /actions/runs/{id} to attach the SARIF blob. Without it, the SARIF upload fails with "Resource not accessible by integration" AFTER the scan + conversion both succeed. Symptom reproduced across .git-private-farm and other consumers. secret-scanner-reusable.yml — gitleaks job-level (NOT workflow-level, keeps trufflehog / rust-secrets / shell-secrets at minimum perms): permissions: contents: read pull-requests: write actions: read gitleaks-action's `ScanPullRequest` posts a PR summary comment (needs pull-requests: write) and queries PR-files / workflow-run metadata (needs actions: read). Without both, the action throws RequestError [HttpError]: Resource not accessible by integration AFTER the gitleaks scan itself succeeds. Verifying logs from .git-private-farm#69 / job 79144809024 (gitleaks) + job 79144809505 (hypatia SARIF) both show post-scan permission errors that this PR resolves. Net new perm grants are MINIMAL: `actions: read` is read-only and matches GitHub's documented requirement for these specific actions. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/hypatia-scan-reusable.yml | 11 +++++++++++ .github/workflows/secret-scanner-reusable.yml | 15 +++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/.github/workflows/hypatia-scan-reusable.yml b/.github/workflows/hypatia-scan-reusable.yml index 986d5f9c..710fd97b 100644 --- a/.github/workflows/hypatia-scan-reusable.yml +++ b/.github/workflows/hypatia-scan-reusable.yml @@ -81,6 +81,17 @@ permissions: # "Resource not accessible by integration" and (absent continue-on-error) # hard-fails the scan — exactly what the gate-decoupling design forbids. pull-requests: write + # actions: read lets `codeql-action/upload-sarif` call + # GET /repos/{owner}/{repo}/actions/runs/{run_id} to attach the SARIF + # blob to the workflow run. Without it the upload step fails with + # "Resource not accessible by integration" AFTER the scan + SARIF + # conversion both succeed — symptoms observed across .git-private-farm + # and other estate consumers since the SARIF upload was wired in. + # Reusable workflow permission blocks OVERRIDE the caller's permission + # block, so this MUST live here at source rather than at every + # wrapper — adding it only at the wrapper is a no-op. + # See .git-private-farm#69 for the reproducing logs. + actions: read jobs: scan: diff --git a/.github/workflows/secret-scanner-reusable.yml b/.github/workflows/secret-scanner-reusable.yml index 03c98a1a..3ef57023 100644 --- a/.github/workflows/secret-scanner-reusable.yml +++ b/.github/workflows/secret-scanner-reusable.yml @@ -77,6 +77,21 @@ jobs: gitleaks: runs-on: ${{ inputs.runs-on }} + # Job-level permissions (narrower than granting these workflow-wide). + # The other jobs (trufflehog / rust-secrets / shell-secrets) only need + # `contents: read`, which they get from the workflow-level block. + permissions: + contents: read + # gitleaks-action's `ScanPullRequest` posts a summary comment via + # the GitHub Issues/PR API. Without `pull-requests: write` it fails + # with "Resource not accessible by integration" AFTER the gitleaks + # scan itself succeeds. Reusable-workflow permission blocks + # OVERRIDE the caller's, so this MUST live here at source. + # See .git-private-farm#69 for the reproducing logs. + pull-requests: write + # Additional API calls inside `ScanPullRequest` (workflow-run + # metadata, PR-files endpoint) require `actions: read`. + actions: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: