From 93cffafea69f6ff250e18c325adb1e4ba4818493 Mon Sep 17 00:00:00 2001
From: Graham Savage <graham@kosli.com>
Date: Thu, 21 May 2026 13:30:13 +0100
Subject: [PATCH] Restore pull-requests: read permission in
 reset-drift-detection job
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous commit (a040666) removed this permission on the assumption
that because `kosli attest pr github` is passed the token explicitly via
`--github-token "$GH_TOKEN"`, the job's permissions block was irrelevant.

That reasoning was wrong. The kosli_github_token secret is the caller's
workflow GITHUB_TOKEN. Its capabilities are governed by the called job's
permissions block, not the caller's — caller permissions only act as an
upper bound on reusable workflows and do not propagate into them.

Without pull-requests: read, the attestation step fails with:
  Resource not accessible by integration

Restore the permission so the step can read PR metadata.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/apply.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml
index 3526c86..b0e0c08 100644
--- a/.github/workflows/apply.yml
+++ b/.github/workflows/apply.yml
@@ -74,6 +74,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      pull-requests: read
     env:
       KOSLI_ORG: ${{ inputs.kosli_org }}
       KOSLI_HOST: ${{ inputs.kosli_host }}