fix(ci): secret-scanner callers must grant the reusable's job permissions #32
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-License-Identifier: MPL-2.0 | |
| # dyadt-verify — DYADT dogfood. Verify this repo's CLAIMS.a2ml against primary | |
| # evidence, and run the DYADT conformance vector suite. If a claim this change | |
| # makes is false, the verifier REFUTES it and this job fails loudly. | |
| name: DYADT Verify | |
| on: | |
| push: | |
| branches: [ main, master ] | |
| pull_request: | |
| branches: [ main, master ] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| jobs: | |
| verify-claims: | |
| name: Verify CLAIMS.a2ml + conformance | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| fetch-depth: 0 # need origin/main as the DYADT diff base | |
| - name: DYADT conformance vectors | |
| run: | | |
| bash did-you-actually-do-that/spec/conformance/run-conformance.sh | |
| - name: Verify this change's own claims (dogfood) | |
| env: | |
| DYADT_BASE: origin/${{ github.base_ref || 'main' }} | |
| run: | | |
| if [ -f CLAIMS.a2ml ]; then | |
| bash scripts/verify-claims.sh CLAIMS.a2ml | |
| else | |
| echo "No CLAIMS.a2ml at root — nothing to verify." | |
| fi |