From 978a58405213bab29721fe5d1835c0d071aa373e Mon Sep 17 00:00:00 2001 From: Yiftach Cohen Date: Sun, 18 Jan 2026 16:08:48 +0200 Subject: [PATCH 1/2] fix: add missing permissions to security-scan workflow The workflow was failing due to insufficient permissions when calling the reusable workflow. Added write permissions for security-events, actions, and pull-requests to match the requirements of the callee. --- .github/workflows/security-scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index b48a79a..5cf068a 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -7,6 +7,9 @@ on: permissions: contents: read + security-events: write + actions: read + pull-requests: write jobs: scan: From 3ddc3a5ecdd9f59d878f67be91f509b4be1a9d0c Mon Sep 17 00:00:00 2001 From: Yiftach Cohen Date: Sun, 18 Jan 2026 16:11:15 +0200 Subject: [PATCH 2/2] fix: use exact match for checksum verification The grep pattern was matching multiple lines when the checksums file contained entries for both the tarball and its signature file. Anchoring the pattern to match the exact filename at end-of-line prevents this. --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 2030718..bc5c803 100644 --- a/action.yml +++ b/action.yml @@ -119,7 +119,7 @@ runs: # Verify checksum echo "Verifying checksum..." cd "$TMP_DIR" - EXPECTED=$(grep "$ARCHIVE_NAME" "$CHECKSUMS_NAME" | awk '{print $1}') + EXPECTED=$(grep " ${ARCHIVE_NAME}$" "$CHECKSUMS_NAME" | awk '{print $1}') if command -v sha256sum > /dev/null 2>&1; then ACTUAL=$(sha256sum "$ARCHIVE_NAME" | awk '{print $1}') else