diff --git a/.github/workflows/poll-nvd-cves.yml b/.github/workflows/poll-nvd-cves.yml index 85c019d..d94f08b 100644 --- a/.github/workflows/poll-nvd-cves.yml +++ b/.github/workflows/poll-nvd-cves.yml @@ -29,6 +29,10 @@ env: jobs: poll-and-update: runs-on: ubuntu-latest + permissions: + actions: write + contents: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -654,22 +658,12 @@ jobs: git checkout -- .github/ 2>/dev/null || true git clean -fd .github/ 2>/dev/null || true - - name: Require automation token for PR operations - if: steps.transform.outputs.new_count != '0' || steps.updates.outputs.update_count != '0' - env: - AUTOMATION_TOKEN: ${{ secrets.POLL_NVD_CVES_PAT }} - run: | - if [ -z "$AUTOMATION_TOKEN" ]; then - echo "::error::Set POLL_NVD_CVES_PAT with repo/workflow write permissions." - exit 1 - fi - - name: Create Pull Request if: steps.transform.outputs.new_count != '0' || steps.updates.outputs.update_count != '0' id: create-pr uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # v8.1.0 with: - token: ${{ secrets.POLL_NVD_CVES_PAT }} + token: ${{ secrets.GITHUB_TOKEN }} branch: automated/nvd-cve-update-${{ github.run_id }} delete-branch: true title: "chore: CVE advisories - ${{ steps.transform.outputs.new_count }} new, ${{ steps.updates.outputs.update_count }} updated" @@ -699,7 +693,7 @@ jobs: - name: Run CodeQL on generated PR branch if: steps.create-pr.outputs.pull-request-number != '' env: - GH_TOKEN: ${{ secrets.POLL_NVD_CVES_PAT }} + GH_TOKEN: ${{ github.token }} run: | set -euo pipefail diff --git a/.gitignore b/.gitignore index 8faf088..bb8f2b7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ .claude +.auto-claude/ .codex _bmad _bmad-output