From b6acbb5ac5901adf1b49e2df2a9d200835f69f46 Mon Sep 17 00:00:00 2001 From: Roman Lemekha Date: Fri, 26 Jun 2026 08:59:24 +0200 Subject: [PATCH] fix: grant gitleaks pull-requests: read for PR commit scan MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On pull_request, gitleaks-action calls GET /pulls/{n}/commits to scan only the PR's commits; that needs pull-requests: read. contents: read alone fails with 'Resource not accessible by integration'. read (not write) — comments stay off. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/gitleaks-reusable.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/gitleaks-reusable.yml b/.github/workflows/gitleaks-reusable.yml index 78d848d..cf9aa89 100644 --- a/.github/workflows/gitleaks-reusable.yml +++ b/.github/workflows/gitleaks-reusable.yml @@ -5,10 +5,11 @@ # uses: roleme/workflows/.github/workflows/gitleaks-reusable.yml@ # # fetch-depth: 0 lets gitleaks scan full history, not just the tip. -# PR commenting is disabled so the job needs only contents: read — otherwise -# gitleaks-action tries to POST a PR comment and fails on pull_request events -# with "Resource not accessible by integration" unless granted -# pull-requests: write. The job summary still surfaces any findings. +# PR commenting is disabled (GITLEAKS_ENABLE_COMMENTS=false) so we don't need +# pull-requests: write. But on pull_request events gitleaks-action still calls +# GET /pulls/{n}/commits to scan only the PR's commits, which needs +# pull-requests: read — without it the run fails "Resource not accessible by +# integration". Findings surface via the job summary + SARIF artifact. name: gitleaks (reusable) on: @@ -16,6 +17,7 @@ on: permissions: contents: read + pull-requests: read jobs: scan: