fix(security-scan): grant actions:read to codeql + zizmor jobs

[WomB0ComB0]

Summary

Every org caller of security-scan.yml is currently failing the codeql/* and zizmor jobs with:

##[error]Resource not accessible by integration - https://docs.github.com/rest/actions/workflow-runs#get-a-workflow-run

github/codeql-action's init / analyze / upload-sarif each call GET /repos/{owner}/{repo}/actions/runs/{run_id} for telemetry. The workflow-level permissions: block grants contents: read / security-events: write / pull-requests: read — but not actions: read. Result: every PR run fails the step.

Fix

Add actions: read at the job level for the two jobs that surface the issue (codeql + zizmor). actions: read is read-only and grants no write capability beyond the existing inherited scopes. Other jobs (gitleaks, osv-scanner, dependency-review, actionlint, semgrep, snyk) don't make the telemetry call.

Repro

resq-software/research PR #8 — three consecutive CI runs (commits 847986c, 2ddf8f9, bc97019) all show the same error on the same two job names. Other security scans in the same workflow (semgrep, dependency-review, actionlint, CodeQL (actions)) pass on every run.

Test plan

• Apply the patch + push to the branch
• Bump the SHA pin in resq-software/research's security.yml to point at the merged commit
• Verify scan / CodeQL (javascript-typescript) and scan / zizmor go green on the next PR run

Notes

• actions: read is the minimum scope; could be wider (e.g. actions: write) but read-only matches the principle of least privilege.
• The error has been silent / ignored on other org repos because most required aggregators don't include the scan/* checks. PR fix(security): bump Go toolchain to stable #8 in research caught it because the user explicitly asked to verify failing CI.

Summary by CodeRabbit

• Chores
  • Updated security scanning workflow configuration to include necessary permissions for GitHub Action telemetry and API calls.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bd1c2a88-485b-4159-a583-f47e8fc293df

📥 Commits

Reviewing files that changed from the base of the PR and between 23ce94e and 197be3f.

📒 Files selected for processing (1)

• .github/workflows/security-scan.yml

---

📝 Walkthrough

Walkthrough

This PR adds permissions.actions: read to the codeql and zizmor security scan workflow jobs in GitHub Actions. The permission enables those jobs to make GitHub API calls for telemetry operations without encountering access errors.

Changes

Workflow Security Permissions

Layer / File(s)	Summary
Workflow Configuration .github/workflows/security-scan.yml	Jobs codeql and zizmor now declare permissions.actions: read with comments explaining it prevents "Resource not accessible by integration" failures during telemetry and API calls.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A rabbit in the workflow night,
Found permissions shining bright,
"Actions: read!" the bunny sang,
So telemetry bells could ring and rang,
No more access barriers in flight! 🔐

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/codeql-zizmor-actions-read

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}