fix(ci): grant scanner jobs the token scopes they need#66
Merged
Conversation
Both scanner jobs were under-declaring GITHUB_TOKEN permissions, so with the repo default token now read-only they 403'd with 'Resource not accessible by integration': - gitleaks (secret-scan): gitleaks-action v3 lists PR commits via the API on pull_request events -> needs pull-requests: read. - semgrep (Scan): upload-sarif reads the workflow run for context -> needs actions: read (mirrors the working codeql.yml). Least-privilege per-job scopes; repo default stays read-only.
Repo is private on a free plan, so GitHub code scanning (CodeQL + SARIF upload) is unavailable. Reconfigure so CI works and still gates, at zero cost: - semgrep.yml: remove the SARIF upload; 'semgrep ci' still exits non-zero on findings, so the Scan job remains a real merge gate. Reduce its token scopes to contents:read. - codeql.yml: deleted — CodeQL can't run on a private repo without GitHub Advanced Security. - (gitleaks pull-requests:read fix from this branch is retained.) Security gates remaining: gitleaks (secrets), semgrep (SAST, exit-code), npm audit (deps), tsc + vitest. Lost: CodeQL dataflow + Security-tab dashboards (require paid GHAS on private).
Code scanning needs GHAS on private repos. Remove the SARIF upload step; 'semgrep ci' still exits non-zero on findings so the Scan job stays a real merge gate. Token scopes reduced to contents:read.
This was referenced Jun 16, 2026
goetchstone
added a commit
that referenced
this pull request
Jun 17, 2026
* ci: restore CodeQL + Semgrep SARIF upload (repo is public again) Public repos get GitHub code scanning free, so re-enable what we dropped while briefly private: - codeql.yml restored (dataflow/taint analysis + Security-tab upload) - semgrep.yml re-adds SARIF upload (keeps the actions:read fix so it no longer 403s) - CLAUDE.md: drop the now-stale private-repo CI Known Issue gitleaks pull-requests:read fix from #66 stays. Full free stack back: gitleaks + CodeQL + Semgrep + npm audit + tsc/vitest. * fix(deps): patch high-severity hono advisory via npm audit fix hono <=4.12.24 had high-severity path-traversal/CORS/body-limit CVEs (GHSA-wwfh-h76j-fc44 et al.), pulled in transitively through shadcn -> @modelcontextprotocol/sdk -> hono. Bumped to 4.12.25. Lockfile-only; clears the Dependency audit gate. tsc + tests pass. --------- Co-authored-by: Goetch Stone <gstone@saybrookhome.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Both scanner jobs started failing on PRs with HTTP 403 "Resource not accessible by integration." The repo's default Actions token is read-only, and these two jobs under-declared their
permissions::Secret scan): gitleaks-action v3 lists PR commits via the API onpull_requestevents →GET /pulls/{n}/commits403'd. Needspull-requests: read.Scan):upload-sarifreads the workflow run for context → 403 onactions/workflow-runs. Needsactions: read.codeql.ymlalready declares the full set (actions: read,contents: read,security-events: write) and passes — these two just hadn't been updated.Fix
Least-privilege per-job scopes (repo default stays read-only):
+ pull-requests: read+ actions: readNote
This is the fix for the failing jobs the founder reported. It self-heals: for same-repo
pull_requestevents the workflow runs from the PR head, so this PR's own gitleaks/semgrep checks exercise the corrected permissions. Once merged, re-running PR #65 (consent banner) clears the same two failures.Separately: the
SH-Goetchmachine account appears to have lost repo access (ghreturns "Could not resolve to a Repository") — unrelated to CI, worth a look.Test plan
Secret scan (gitleaks)andScanchecks pass (proving the fix)