From 197be3f80eda9b5d99b39528380eb8fea7f2f9e2 Mon Sep 17 00:00:00 2001
From: Mike Odnis <mikeodnis3242004@gmail.com>
Date: Mon, 4 May 2026 00:41:38 -0400
Subject: [PATCH] fix(security-scan): grant actions:read to codeql + zizmor
 jobs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

github/codeql-action's init/analyze and upload-sarif each call
`GET /repos/{owner}/{repo}/actions/runs/{run_id}` for telemetry. The
workflow-level `permissions:` block grants `contents: read`,
`security-events: write`, `pull-requests: read` — but not
`actions: read`. Result: every PR run on every org caller emits

    ##[error]Resource not accessible by integration

at the telemetry call and fails the step. Verified against
resq-software/research PR #8 across multiple consecutive runs.

Add `actions: read` at the job level for codeql and zizmor (the two
jobs that surface the issue). `actions: read` is read-only and
grants no write capability beyond the existing inherited scopes.

Other jobs in this workflow (gitleaks, osv-scanner, dependency-review,
actionlint, semgrep, snyk) don't make the telemetry call and don't
need the scope; leaving their permissions inherited.
---
 .github/workflows/security-scan.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 7387c2b..642989d 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -89,6 +89,15 @@ jobs:
     name: CodeQL (${{ matrix.language }})
     if: ${{ inputs.languages != '' && inputs.languages != '[]' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+      # `actions: read` is required by github/codeql-action's telemetry —
+      # init/analyze each call `GET /repos/{owner}/{repo}/actions/runs/{run_id}`.
+      # Without the scope every step ends in
+      #   ##[error]Resource not accessible by integration
+      # and the job fails. Read-only; grants no write capability.
+      actions: read
     strategy:
       fail-fast: false
       matrix:
@@ -184,6 +193,12 @@ jobs:
     permissions:
       contents: read
       security-events: write
+      # Required by github/codeql-action/upload-sarif's telemetry call
+      # to `GET /repos/{owner}/{repo}/actions/runs/{run_id}`. Without
+      # this the upload step ends in
+      #   ##[error]Resource not accessible by integration
+      # and fails the job. Read-only; grants no write capability.
+      actions: read
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176  # v2