Skip to content

Commit 5ea8169

Browse files
authored
fix(ci): grant security-fix job permissions in on-main workflow (#2094)
The top-level 'permissions: contents: read' in on-main.yml was capping the permissions requested by the reusable _security-fix-agent.yml workflow, causing the workflow file to be rejected as invalid on merges to main: The nested job 'remediate' is requesting 'contents: write, issues: write, pull-requests: write, id-token: write', but is only allowed 'contents: read, issues: none, pull-requests: none, id-token: none'. Grant the elevated permissions explicitly on the 'security-fix' job so the called workflow can run, while keeping the restrictive defaults for every other job.
1 parent d4f0059 commit 5ea8169

1 file changed

Lines changed: 5 additions & 0 deletions

File tree

.github/workflows/on-main.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,4 +30,9 @@ jobs:
3030
needs: security
3131
if: ${{ always() && needs.security.result == 'failure' }}
3232
uses: ./.github/workflows/_security-fix-agent.yml
33+
permissions:
34+
contents: write
35+
pull-requests: write
36+
issues: write
37+
id-token: write
3338
secrets: inherit

0 commit comments

Comments
 (0)