ci: Set required underlying permissions

[MaxymVlasov]

Description of your changes

Fix missing privileges in scheduled runs - https://github.com/antonbabenko/pre-commit-terraform/actions/runs/17423654222

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Updated CI permissions to allow writing security events during scheduled runs.
  • Adjusted linter download matching in pre-commit checks for broader asset compatibility across releases.
  • No changes to triggers, job logic, or application behavior.
  • No user-facing changes; builds and checks continue to run as before.

Walkthrough

Added a top-level GitHub Actions permission security-events: write to .github/workflows/scheduled-runs.yml and updated the hadolint release asset regex in .github/workflows/pre-commit.yaml to match hadolint-linux-x86_64. No workflow triggers, run names, jobs, or control flow were changed.

Changes

Cohort / File(s)	Summary
Scheduled runs workflow .github/workflows/scheduled-runs.yml	Added top-level permission security-events: write. No other changes to triggers, run-name, or jobs.
Pre-commit workflow — hadolint asset .github/workflows/pre-commit.yaml	Changed hadolint release asset name regex from hadolint-Linux-x86_64 to hadolint-linux-x86_64 and made grep case-insensitive; download/install steps unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• antonbabenko
• yermulnik
• webknjaz

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 0af236f and faed00e.

📒 Files selected for processing (1)

• .github/workflows/pre-commit.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/pre-commit.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (11)

• GitHub Check: 🧪 Tests / pytest@🐍3.10@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.11@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.12@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.9@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.13@windows-2025
• GitHub Check: 🧹 Linters / pre-commit@🐍3.13@ubuntu-latest
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.13@macos-13
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.12@macos-13
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.9@macos-13
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.9@macos-14
• GitHub Check: ∞ Main CI/CD pipeline / 🧹 Linters / pre-commit@🐍3.13@ubuntu-latest

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch MaxymVlasov-patch-1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[Copilot]

Pull Request Overview

This PR fixes missing permissions for scheduled workflow runs by adding required security-events write permissions to address privilege issues identified in GitHub Actions execution.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/scheduled-runs.yml (1)

13-13: Optional: future-proof for private repos.

Per prior learnings, public repos only need security-events: write; private repos also need actions: read (you already have contents: read). Consider adding if this workflow will be used privately.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 199343e and 75d0da1.

📒 Files selected for processing (1)

• .github/workflows/scheduled-runs.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-09-01T16:39:54.002Z

Learnt from: webknjaz
PR: antonbabenko/pre-commit-terraform#930
File: .github/workflows/ci-cd.yml:511-514
Timestamp: 2025-09-01T16:39:54.002Z
Learning: The zizmor-action (GitHub Actions security scanner) has different permission requirements based on repository visibility: for public repositories, only `security-events: write` is required; for private repositories, `contents: read` and `actions: read` are also needed alongside `security-events: write`.

Applied to files:

• .github/workflows/scheduled-runs.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (9)

• GitHub Check: 🧪 Tests / pytest@🐍3.11@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.10@windows-2025
• GitHub Check: 🧪 Tests / pytest@🐍3.9@windows-2025
• GitHub Check: 🧹 Linters / pre-commit@🐍3.13@ubuntu-latest
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.13@macos-13
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.9@macos-13
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.9@macos-14
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.12@macos-13
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.11@macos-13

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/pre-commit.yaml (1)

46-53: Make the download more robust and verify checksum

Parsing JSON with grep is brittle; also we’re not verifying integrity. Suggest using jq to select the asset and validate SHA256.

     - name: Install hadolint
-      run: >-
-        curl -L "$(
-        curl -s https://api.github.com/repos/hadolint/hadolint/releases/latest
-        | grep -o -E -m 1 "https://.+?/hadolint-linux-x86_64"
-        )"
-        > hadolint
-        && chmod +x hadolint && sudo mv hadolint /usr/bin/
+      run: |
+        set -euo pipefail
+        API=https://api.github.com/repos/hadolint/hadolint/releases/latest
+        URL=$(curl -s "$API" | jq -r '.assets[] | select(.name=="hadolint-linux-x86_64") | .browser_download_url')
+        SHA=$(curl -s "$API" | jq -r '.assets[] | select(.name=="hadolint-linux-x86_64.sha256") | .browser_download_url' \
+          | xargs -n1 curl -sL | awk '{print $1}')
+        curl -sSL "$URL" -o hadolint
+        echo "$SHA  hadolint" | sha256sum -c -
+        chmod +x hadolint
+        sudo mv hadolint /usr/bin/

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 75d0da1 and 0af236f.

📒 Files selected for processing (1)

• .github/workflows/pre-commit.yaml (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: webknjaz
PR: antonbabenko/pre-commit-terraform#930
File: .github/workflows/ci-cd.yml:511-514
Timestamp: 2025-09-01T16:39:54.002Z
Learning: The zizmor-action (GitHub Actions security scanner) has different permission requirements based on repository visibility: for public repositories, only `security-events: write` is required; for private repositories, `contents: read` and `actions: read` are also needed alongside `security-events: write`.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.13@macos-13
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.9@macos-14
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.12@macos-13
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.11@windows-2025
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.13@macos-14
• GitHub Check: ∞ Main CI/CD pipeline / 🧪 Tests / pytest@🐍3.10@macos-14
• GitHub Check: ∞ Main CI/CD pipeline / 🧹 Linters / pre-commit@🐍3.13@ubuntu-latest

🔇 Additional comments (1)

.github/workflows/pre-commit.yaml (1)

46-53: Correct asset name; fixes hadolint download on latest releases

Switching to hadolint-linux-x86_64 matches current release asset names and unblocks the curl pipeline. (github.com)

[antonbabenko]

This PR is included in version 1.100.1 🎉