Skip to content

fix: grant gitleaks pull-requests: read for PR commit scan #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
roleme merged 1 commit into from
Jun 26, 2026
Merged

fix: grant gitleaks pull-requests: read for PR commit scan #17

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 6 additions & 4 deletions .github/workflows/gitleaks-reusable.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,17 +5,19 @@
# uses: roleme/workflows/.github/workflows/gitleaks-reusable.yml@<sha>
#
# fetch-depth: 0 lets gitleaks scan full history, not just the tip.
# PR commenting is disabled so the job needs only contents: read — otherwise
# gitleaks-action tries to POST a PR comment and fails on pull_request events
# with "Resource not accessible by integration" unless granted
# pull-requests: write. The job summary still surfaces any findings.
# PR commenting is disabled (GITLEAKS_ENABLE_COMMENTS=false) so we don't need
# pull-requests: write. But on pull_request events gitleaks-action still calls
# GET /pulls/{n}/commits to scan only the PR's commits, which needs
# pull-requests: read — without it the run fails "Resource not accessible by
# integration". Findings surface via the job summary + SARIF artifact.
name: gitleaks (reusable)

on:
workflow_call: {}

permissions:
contents: read
pull-requests: read

jobs:
scan:
Expand Down