Skip to content

fix(ci): grant scanner jobs the token scopes they need#66

Merged
goetchstone merged 3 commits into
mainfrom
fix/ci-scanner-permissions
Jun 16, 2026
Merged

fix(ci): grant scanner jobs the token scopes they need#66
goetchstone merged 3 commits into
mainfrom
fix/ci-scanner-permissions

Conversation

@goetchstone

Copy link
Copy Markdown
Owner

Problem

Both scanner jobs started failing on PRs with HTTP 403 "Resource not accessible by integration." The repo's default Actions token is read-only, and these two jobs under-declared their permissions::

  • gitleaks (Secret scan): gitleaks-action v3 lists PR commits via the API on pull_request events → GET /pulls/{n}/commits 403'd. Needs pull-requests: read.
  • semgrep (Scan): upload-sarif reads the workflow run for context → 403 on actions/workflow-runs. Needs actions: read.

codeql.yml already declares the full set (actions: read, contents: read, security-events: write) and passes — these two just hadn't been updated.

Fix

Least-privilege per-job scopes (repo default stays read-only):

  • gitleaks job: + pull-requests: read
  • semgrep job: + actions: read

Note

This is the fix for the failing jobs the founder reported. It self-heals: for same-repo pull_request events the workflow runs from the PR head, so this PR's own gitleaks/semgrep checks exercise the corrected permissions. Once merged, re-running PR #65 (consent banner) clears the same two failures.

Separately: the SH-Goetch machine account appears to have lost repo access (gh returns "Could not resolve to a Repository") — unrelated to CI, worth a look.

Test plan

  • This PR's own Secret scan (gitleaks) and Scan checks pass (proving the fix)

Both scanner jobs were under-declaring GITHUB_TOKEN permissions, so
with the repo default token now read-only they 403'd with 'Resource
not accessible by integration':

- gitleaks (secret-scan): gitleaks-action v3 lists PR commits via the
  API on pull_request events -> needs pull-requests: read.
- semgrep (Scan): upload-sarif reads the workflow run for context ->
  needs actions: read (mirrors the working codeql.yml).

Least-privilege per-job scopes; repo default stays read-only.
Repo is private on a free plan, so GitHub code scanning (CodeQL +
SARIF upload) is unavailable. Reconfigure so CI works and still gates,
at zero cost:

- semgrep.yml: remove the SARIF upload; 'semgrep ci' still exits
  non-zero on findings, so the Scan job remains a real merge gate.
  Reduce its token scopes to contents:read.
- codeql.yml: deleted — CodeQL can't run on a private repo without
  GitHub Advanced Security.
- (gitleaks pull-requests:read fix from this branch is retained.)

Security gates remaining: gitleaks (secrets), semgrep (SAST, exit-code),
npm audit (deps), tsc + vitest. Lost: CodeQL dataflow + Security-tab
dashboards (require paid GHAS on private).
Code scanning needs GHAS on private repos. Remove the SARIF upload
step; 'semgrep ci' still exits non-zero on findings so the Scan job
stays a real merge gate. Token scopes reduced to contents:read.
@goetchstone goetchstone merged commit 60e6ebd into main Jun 16, 2026
5 checks passed
@goetchstone goetchstone deleted the fix/ci-scanner-permissions branch June 16, 2026 10:27
goetchstone added a commit that referenced this pull request Jun 17, 2026
* ci: restore CodeQL + Semgrep SARIF upload (repo is public again)

Public repos get GitHub code scanning free, so re-enable what we
dropped while briefly private:
- codeql.yml restored (dataflow/taint analysis + Security-tab upload)
- semgrep.yml re-adds SARIF upload (keeps the actions:read fix so it
  no longer 403s)
- CLAUDE.md: drop the now-stale private-repo CI Known Issue

gitleaks pull-requests:read fix from #66 stays. Full free stack back:
gitleaks + CodeQL + Semgrep + npm audit + tsc/vitest.

* fix(deps): patch high-severity hono advisory via npm audit fix

hono <=4.12.24 had high-severity path-traversal/CORS/body-limit CVEs
(GHSA-wwfh-h76j-fc44 et al.), pulled in transitively through
shadcn -> @modelcontextprotocol/sdk -> hono. Bumped to 4.12.25.
Lockfile-only; clears the Dependency audit gate. tsc + tests pass.

---------

Co-authored-by: Goetch Stone <gstone@saybrookhome.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants