From a040666924c8e3a6f424d271e257ead89e31638c Mon Sep 17 00:00:00 2001
From: Graham Savage <graham@kosli.com>
Date: Thu, 21 May 2026 11:28:51 +0100
Subject: [PATCH] Remove unused pull-requests: read permission from apply.yml

The reset-drift-detection job declared pull-requests: read on its
GITHUB_TOKEN, but nothing in the job uses GITHUB_TOKEN to access pull
requests. The kosli attest pr github step uses the separately-passed
kosli_github_token secret via --github-token, not the workflow's default
token. Drop the permission so the job requests only what it actually
needs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/apply.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml
index b0e0c08..3526c86 100644
--- a/.github/workflows/apply.yml
+++ b/.github/workflows/apply.yml
@@ -74,7 +74,6 @@ jobs:
     permissions:
       id-token: write
       contents: read
-      pull-requests: read
     env:
       KOSLI_ORG: ${{ inputs.kosli_org }}
       KOSLI_HOST: ${{ inputs.kosli_host }}