[BUG]: Resource not accessible by integration

[larseggert]

Pre-submission checks

• I am not filing a feature request. These should be filed via the feature request form instead.
• I have looked through the open issues for a duplicate report.

Expected behavior

Running via CI when pushing to main should work.

Actual behavior

https://github.com/mozilla/neqo/actions/runs/13136647646/job/36653466342#step:5:19

Run github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a
Warning: Resource not accessible by integration
Uploading results
  Processing sarif files: ["results.sarif"]
  Validating results.sarif
  Combining SARIF files using the CodeQL CLI
  Adding fingerprints to SARIF file. See https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#providing-data-to-track-code-scanning-alerts-across-runs for more information.
  Uploading results
  Warning: Resource not accessible by integration
  Error: Resource not accessible by integration
  Warning: Resource not accessible by integration

Reproduction steps

https://github.com/mozilla/neqo/actions/runs/13136647646/workflow

Logs

https://github.com/mozilla/neqo/actions/runs/13136647646/job/36653466342#step:5:19

Additional context

No response

[woodruffw]

Thanks for the report @larseggert!

I took a look at your workflow, and I'm pretty sure it's failing because you didn't give the security-events: write permission to the zizmor job. The example workflow here shows the minimum permissions typically needed.

(I really wish GitHub provided a more clear error there.)

[larseggert]

Doh! I must have dropped this when I moved the zizmor workflow into the existing CI lint action.

mozilla/neqo#2418