Skip to content

Commit 987697b

Browse files
fix(ci): secret-scanner callers must grant the reusable's job permissions (#472)
Root cause of the estate-wide Secret Scanner `startup_failure` (including on this repo's own main): the reusable's gitleaks job requests `pull-requests: write` + `actions: read` (added for PR summary comments, .git-private-farm#69), but a called workflow cannot exceed the caller's grant. Every wrapper granting only `contents: read` — which is exactly what the reusable's own documented caller example says to do — dies at startup: *"the workflow is requesting 'pull-requests: write', but is only allowed 'pull-requests: none'"*. This is why the failure persisted across every pin bump: the bug is in the caller shape, not the pinned ref. - Header caller example now grants the permissions at the calling job (same consumption pattern as the scorecard reusable) — this is the shape wrapper sweeps copy. - This repo's own wrapper: grant the permissions and bump the pin off known-bad `d135b05` to current main (`891b1ed`). Estate note: the ~281 repo wrappers need the same job-level grant on their next sweep; the grant is safe at any pinned ref (refs that don't request the elevation simply downgrade). Proven fix live on somethings-fishy PR #51. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
1 parent 891b1ed commit 987697b

2 files changed

Lines changed: 20 additions & 2 deletions

File tree

.github/workflows/secret-scanner-reusable.yml

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,13 @@
3535
# the read-only cancel-superseded behaviour stays in the wrapper.
3636
# - Trufflehog removed: gitleaks provides sufficient coverage at lower cost.
3737
#
38-
# Caller example (wrapper):
38+
# Caller example (wrapper). NOTE the job-level permissions grant: the
39+
# gitleaks job below requests `pull-requests: write` + `actions: read`,
40+
# and a called workflow cannot exceed the caller's grant — a wrapper
41+
# that grants only `contents: read` dies at startup_failure on every
42+
# run ("requesting 'pull-requests: write', but is only allowed
43+
# 'pull-requests: none'"). Same consumption pattern as the scorecard
44+
# reusable.
3945
# # SPDX-License-Identifier: MPL-2.0
4046
# name: Secret Scanner
4147
# on:
@@ -49,6 +55,10 @@
4955
# contents: read
5056
# jobs:
5157
# scan:
58+
# permissions:
59+
# contents: read
60+
# pull-requests: write
61+
# actions: read
5262
# uses: hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml@<sha>
5363
# secrets: inherit
5464

.github/workflows/secret-scanner.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,5 +15,13 @@ permissions:
1515

1616
jobs:
1717
scan:
18-
uses: hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml@d135b05bfc647d0c0fbfedc7e80f37ea50f49236
18+
# The reusable's gitleaks job requests pull-requests: write (PR
19+
# summary comments, .git-private-farm#69) and actions: read. A
20+
# called workflow cannot exceed the caller's grant — without these
21+
# here every run dies at startup_failure.
22+
permissions:
23+
contents: read
24+
pull-requests: write
25+
actions: read
26+
uses: hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml@891b1ed6164478616cb3375f328c6487ccb13f80
1927
secrets: inherit

0 commit comments

Comments
 (0)