Skip to content

ci: pii-scan needs explicit pull-requests:read for private consumers#123

Merged
fitz123 merged 1 commit into
mainfrom
ci/gitleaks-explicit-permissions
May 17, 2026
Merged

ci: pii-scan needs explicit pull-requests:read for private consumers#123
fitz123 merged 1 commit into
mainfrom
ci/gitleaks-explicit-permissions

Conversation

@fitz123
Copy link
Copy Markdown
Owner

@fitz123 fitz123 commented May 17, 2026

Summary

  • Add explicit permissions: block to pii-scan.yml granting contents: read and pull-requests: read.
  • Fixes Resource not accessible by integration (403) on private-repo consumers of the reusable gitleaks workflow.

Why

gitleaks-action@v2 calls GET /repos/{owner}/{repo}/pulls/{number}/commits to determine scan scope on PR events. The default GITHUB_TOKEN for private repos withholds pull-requests: read, so the call returns 403 and the action exits before scanning. Public repos (including this one) have been getting it under the more permissive default for public projects — but the moment a downstream private repo consumed the workflow via workflow_call it broke.

Repro: fitz123/Minime#35 — pii-scan run https://github.com/fitz123/Minime/actions/runs/25995425868 fails with the exact 403 message.

Test plan

  • Self-CI on this PR passes (since the workflow runs against this same repo).

@fitz123 @claude
ci: grant pii-scan workflow explicit pull-requests:read
6933370 
gitleaks-action@v2 lists PR commits to determine scan scope. In
private-repo consumers of this reusable workflow, the default GITHUB_TOKEN
withholds pull-requests:read, returning 403 "Resource not accessible by
integration" before the scan can run. Public claude-code-bot has been fine
under the more permissive default for public repos; downstream private
consumers (e.g. the workspace at fitz123/Minime) get the failure.

Explicit permissions block fixes it across both consumer classes.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 17, 2026 15:54
@fitz123 fitz123 merged commit b909b20 into main May 17, 2026
5 checks passed
@fitz123 fitz123 deleted the ci/gitleaks-explicit-permissions branch May 17, 2026 15:55
Copilot AI reviewed May 17, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an explicit permissions: block to .github/workflows/pii-scan.yml so that the reusable gitleaks workflow has pull-requests: read when consumed by private repos, fixing a 403 from gitleaks-action@v2.

Changes:

  • Add top-level permissions: granting contents: read and pull-requests: read.
  • Add explanatory comment documenting the rationale.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@fitz123 fitz123 mentioned this pull request May 17, 2026
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fitz123