[plan] Add missing vulnerability-alerts: read permission to 7 workflows using dependabot toolset #22251
Description
Objective
Add missing vulnerability-alerts: read permission to the 7 workflows that use the dependabot toolset but are missing this required permission, eliminating the compiler warnings.
Context
Source: Static Analysis Report - 2026-03-22
Warning type: Missing vulnerability-alerts: read permission (dependabot toolset)
Count: 7 warnings
Affected workflows (from analysis report):
daily-firewall-reportdeep-reportdependabot-go-checkergithub-mcp-structural-analysisgithub-mcp-tools-reportsecurity-review- (+ 1 more — investigate to find the 7th)
The compiler warns when a workflow uses the dependabot toolset but doesn't declare vulnerability-alerts: read in its permissions: block. The dependabot toolset requires this permission to list dependabot alerts.
Approach
- Find all 7 affected workflow
.mdfiles:grep -rl "dependabot" .github/workflows/*.md
- For each affected workflow, add
vulnerability-alerts: readto thepermissionsblock in the frontmatter:permissions: vulnerability-alerts: read # ... other existing permissions
- Run
make recompileto regenerate all lock files - Verify the 7 compiler warnings are gone
Files to Modify
.github/workflows/daily-firewall-report.md.github/workflows/deep-report.md.github/workflows/dependabot-go-checker.md.github/workflows/github-mcp-structural-analysis.md.github/workflows/github-mcp-tools-report.md.github/workflows/security-review.md- Investigate and find the 7th workflow
Acceptance Criteria
- All 7 compiler warnings about missing
vulnerability-alerts: readare resolved -
make recompileproduces 0 errors and fewer warnings (at least 7 fewer) - The dependabot toolset functions correctly in these workflows with the new permission
Generated by Plan Command for issue #discussion #22240 · ◷
- expires on Mar 24, 2026, 8:48 AM UTC
Metadata
Metadata
Type
Fields
Give feedbackNo fields configured for issues without a type.