Skip to content

Allow scheduled security audits to open issues#43

Merged
AnthonyRonning merged 1 commit into
masterfrom
codex-maple-proxy-audit-issue-permission-maple-proxy
Jul 11, 2026
Merged

Allow scheduled security audits to open issues#43
AnthonyRonning merged 1 commit into
masterfrom
codex-maple-proxy-audit-issue-permission-maple-proxy

Conversation

@AnthonyRonning

@AnthonyRonning AnthonyRonning commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Summary

  • grant issues: write to the non-PR security_audit job
  • keep the workflow-wide and pull-request permissions read-only

Why

The scheduled audit correctly detected a RustSec advisory, then rustsec/audit-check attempted to create a GitHub issue and failed with:

Resource not accessible by integration

The job already grants checks: write, but the action also needs issues: write when reporting a newly detected vulnerability. This permission is scoped only to the push/scheduled audit job; the pull-request audit continues to run with read-only repository permissions.

The vulnerable lockfile entry itself was fixed in #42. This follow-up ensures future scheduled findings can be reported successfully instead of failing during issue creation.

Validation

  • actionlint .github/workflows/security.yml
  • git diff --check

A whole-repository actionlint pass also identified existing warnings in the Docker and release workflows; those are unrelated to this change.


Open in Devin Review

Summary by CodeRabbit

  • Chores
    • Updated security audit workflow permissions to support reporting findings through issue tracking.

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6ed788b9-2a16-41f5-b9db-32885a5be409

📥 Commits

Reviewing files that changed from the base of the PR and between 4123f7f and 22f0272.

📒 Files selected for processing (1)
  • .github/workflows/security.yml

📝 Walkthrough

Walkthrough

The security audit workflow now grants its job token issues: write permission in addition to existing permissions.

Changes

Security audit workflow

Layer / File(s) Summary
Audit job token permissions
.github/workflows/security.yml
Adds issues: write to the security_audit job permissions.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Poem

A rabbit checked the audit gate,
And found one permission to update.
Issues may now be written with care,
While checks and contents remain there.
Hop, hop—security is in shape!

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: granting scheduled security audits permission to open issues.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex-maple-proxy-audit-issue-permission-maple-proxy

Comment @coderabbitai help to get the list of available commands.

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

@AnthonyRonning
AnthonyRonning merged commit b97f8d7 into master Jul 11, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant