From 0d2912aa03641045d04081d1be604545c0ea7a95 Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Tue, 7 Jul 2026 19:05:52 +0100 Subject: [PATCH] fix(ci): grant secret-scanner reusable its requested job permissions The reusable's gitleaks job requests pull-requests: write + actions: read; a called workflow cannot exceed the caller's grant, so wrappers granting only contents: read die at startup_failure on every run. Estate sweep; root cause fixed in standards#472. Co-Authored-By: Claude Fable 5 --- .github/workflows/secret-scanner.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index d713d06..ea9b892 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -15,5 +15,13 @@ permissions: jobs: scan: + # The reusable's gitleaks job requests pull-requests: write (PR + # summary comments) and actions: read. A called workflow cannot + # exceed the caller's grant - without these, every run dies at + # startup_failure. See standards#472. + permissions: + contents: read + pull-requests: write + actions: read uses: hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml@d135b05bfc647d0c0fbfedc7e80f37ea50f49236 - secrets: inherit + secrets: inherit \ No newline at end of file