From 070395d1b39c78628fb8a203153a13bfb45e81bd Mon Sep 17 00:00:00 2001 From: "Jonathan D.A. Jewell" <6759885+hyperpolymath@users.noreply.github.com> Date: Thu, 9 Jul 2026 07:32:50 +0100 Subject: [PATCH] ci: grant Secret Scanner caller the reusable's job permissions The standards secret-scanner reusable's gitleaks job declares pull-requests:write + actions:read (PR summary comment via the Issues/PR API). A called workflow is capped at the caller's grant, so without these at the calling job the run dies at startup (0s startup_failure, estate-wide). Caller-side fix; bumping the pin never fixes it. Ref: hyperpolymath/standards#472. --- .github/workflows/secret-scanner.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/secret-scanner.yml b/.github/workflows/secret-scanner.yml index 0078829f..8c49673c 100644 --- a/.github/workflows/secret-scanner.yml +++ b/.github/workflows/secret-scanner.yml @@ -15,6 +15,10 @@ permissions: jobs: scan: + permissions: + contents: read + pull-requests: write + actions: read uses: hyperpolymath/standards/.github/workflows/secret-scanner-reusable.yml@e9c8888769a703924cc3c0d717900960d78aea00 secrets: inherit - timeout-minutes: 20 + timeout-minutes: 20 \ No newline at end of file