A called reusable workflow can only narrow the caller's GITHUB_TOKEN — if any of its jobs request a permission the caller didn't grant, the run dies at load time as startup_failure ("This run likely failed because of a workflow file issue", zero jobs). Two current instances:
- secret-scanner-reusable.yml: the gitleaks job requests
pull-requests: write + actions: read, but the documented caller example (and the deployed wrappers) grant only contents: read. Every wrapper deployed from that example startup-fails — in ochrance, since the 2026-06-24 repin, i.e. the secret scanner has not scanned anything for a week while looking like mere CI noise. The comment in the reusable claiming job-level permission blocks "OVERRIDE the caller's" states the semantics backwards.
- scorecard-reusable.yml: the scorecard job requests
security-events: write + id-token: write; wrappers granting permissions: read-all startup-fail the same way.
This is very likely the estate-wide "C3 startup_failure class" observed on 2026-07-01.
Fix (per ochrance)
Caller grants the superset:
- secret-scanner wrapper:
contents: read + pull-requests: write + actions: read
- scorecard wrapper:
contents: read + actions: read + security-events: write + id-token: write
Verified green on ochrance main after the change.
Asks
🤖 Generated with Claude Code
Root cause (diagnosed + fixed in ochrance, PRs hyperpolymath/ochrance#73–#75)
A called reusable workflow can only narrow the caller's GITHUB_TOKEN — if any of its jobs request a permission the caller didn't grant, the run dies at load time as
startup_failure("This run likely failed because of a workflow file issue", zero jobs). Two current instances:pull-requests: write+actions: read, but the documented caller example (and the deployed wrappers) grant onlycontents: read. Every wrapper deployed from that example startup-fails — in ochrance, since the 2026-06-24 repin, i.e. the secret scanner has not scanned anything for a week while looking like mere CI noise. The comment in the reusable claiming job-level permission blocks "OVERRIDE the caller's" states the semantics backwards.security-events: write+id-token: write; wrappers grantingpermissions: read-allstartup-fail the same way.This is very likely the estate-wide "C3 startup_failure class" observed on 2026-07-01.
Fix (per ochrance)
Caller grants the superset:
contents: read+pull-requests: write+actions: readcontents: read+actions: read+security-events: write+id-token: writeVerified green on ochrance main after the change.
Asks
secret-scanner-reusable.yml's header comment + correct the inverted "override" commentsecret-scanner.yml/scorecard.ymlwrapper has the narrow grant is silently unscanned🤖 Generated with Claude Code