This is an automated email from the ASF dual-hosted git repository. rusackas pushed a commit to branch fix/ghas-validator-security-events-perm in repository https://gitbox.apache.org/repos/asf/superset.git
commit c98209e86f734a50fb37617038b4d5245b621be8 Author: Claude Code <[email protected]> AuthorDate: Fri May 29 21:40:52 2026 -0700 fix(ci): grant security-events write to GHA validator workflow The `validate-all-ghas` job runs the zizmor action with `advanced-security` enabled (the default), which uploads its SARIF results to GitHub code scanning via `codeql-action/upload-sarif`. That upload requires `security-events: write`, but the workflow only granted `contents: read`, so the step failed on master with "Resource not accessible by integration" even though the zizmor audit itself passed. Add a job-scoped `security-events: write` permission, matching the pattern already used by codeql-analysis.yml. Co-Authored-By: Claude Opus 4.8 <[email protected]> --- .github/workflows/github-action-validator.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/github-action-validator.yml b/.github/workflows/github-action-validator.yml index 712911f8c6a..32718ba6936 100644 --- a/.github/workflows/github-action-validator.yml +++ b/.github/workflows/github-action-validator.yml @@ -16,6 +16,11 @@ jobs: validate-all-ghas: runs-on: ubuntu-24.04 + permissions: + contents: read + # Required for the zizmor action to upload its SARIF results to + # GitHub code scanning (advanced-security is enabled by default). + security-events: write steps: - name: Checkout Repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
