ci: grant pull-requests:write to openapi-validation job

andrekutianski · andrekutianski · commit aaa7ef65dd56 · 2026-04-25T20:45:40.000-03:00
The job uses actions/github-script to post a PR comment with spec
validation info, but failed with HTTP 403 "Resource not accessible by
integration" because the default GITHUB_TOKEN permissions for the
workflow were read-only.

Scope the new permissions to this job only (least privilege) and
keep `contents: read` for checkout — adding a `permissions:` block
implicitly drops all other defaults to none.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -127,6 +127,9 @@ jobs:
   openapi-validation:
     name: OpenAPI Validation
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
 
     steps:
       - name: Checkout code
