From eaac544058944b9912ac94b6ff31bebf3adedb5e Mon Sep 17 00:00:00 2001
From: Ed Burns <edburns@microsoft.com>
Date: Wed, 25 Mar 2026 13:27:54 -0400
Subject: [PATCH 1/2] On branch
 edburns/dd-2855288-add-smoke-test-to-build-and-test Make it so the branch
 protection rules are respected regarding pushing the badge update to `main`
 modified:   .github/workflows/build-test.yml

Fixes #31

Signed-off-by: Ed Burns <edburns@microsoft.com>
---
 .github/workflows/build-test.yml | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
index f5df31e8d..4fed811c3 100644
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@@ -21,6 +21,7 @@ on:
 permissions:
   contents: write
   checks: write
+  pull-requests: write
 
 jobs:
 
@@ -94,19 +95,20 @@ jobs:
             target/surefire-reports/
           retention-days: 1
 
-      - name: Generate and commit JaCoCo badge
+      - name: Generate JaCoCo badge
         if: success() && github.ref == 'refs/heads/main'
-        run: |
-          .github/scripts/generate-coverage-badge.sh
-
-          # Commit if changed
-          if [[ $(git status --porcelain .github/badges/) ]]; then
-            git config --global user.name 'github-actions[bot]'
-            git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com'
-            git add .github/badges/
-            git commit -m "Update JaCoCo coverage badge"
-            git push
-          fi
+        run: .github/scripts/generate-coverage-badge.sh
+
+      - name: Create PR for JaCoCo badge update
+        if: success() && github.ref == 'refs/heads/main'
+        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7
+        with:
+          commit-message: "Update JaCoCo coverage badge"
+          title: "Update JaCoCo coverage badge"
+          body: "Automated JaCoCo coverage badge update from CI."
+          branch: auto/update-jacoco-badge
+          add-paths: .github/badges/
+          delete-branch: true
 
       - name: Generate Test Report Summary
         if: always()

From 1d78942df590389763f5c42a116a9d3c54374dbf Mon Sep 17 00:00:00 2001
From: Ed Burns <edburns@microsoft.com>
Date: Wed, 25 Mar 2026 13:37:11 -0400
Subject: [PATCH 2/2] On branch
 edburns/dd-2855288-add-smoke-test-to-build-and-test Reduce blast radius by
 tightening permissions. modified:   .github/workflows/build-test.yml

@Copilot wrote:

> The workflow-level token permissions are set to contents: write, checks: write, and now pull-requests: write for every run, including pull_request events. To reduce blast radius, consider setting the workflow default to read-only and granting write permissions only at the job/step that needs them (the badge PR step needs contents: write + pull-requests: write). This keeps PR runs from having unnecessary write scopes.

This is a good suggestion.

Signed-off-by: Ed Burns <edburns@microsoft.com>
---
 .github/workflows/build-test.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
index 4fed811c3..f77067fdc 100644
--- a/.github/workflows/build-test.yml
+++ b/.github/workflows/build-test.yml
@@ -19,9 +19,7 @@ on:
   merge_group:
 
 permissions:
-  contents: write
-  checks: write
-  pull-requests: write
+  contents: read
 
 jobs:
 
@@ -35,6 +33,10 @@ jobs:
     name: "Java SDK Tests"
     needs: smoke-test
     if: ${{ always() && needs.smoke-test.result != 'failure' }}
+    permissions:
+      contents: write
+      checks: write
+      pull-requests: write
 
     runs-on: ubuntu-latest
     defaults: