From 04fe4c53c0c4369eb5ef29bae3e792a65fbcd6bc Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 6 Jun 2026 17:37:52 +0000
Subject: [PATCH 1/2] Initial plan


From 8a2174614c1a95b7fc1498d44ccf7b2b10fb2f81 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 6 Jun 2026 17:45:33 +0000
Subject: [PATCH 2/2] Add actions:read to SARIF upload job permissions

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 pkg/workflow/compiler_safe_outputs_job_test.go | 2 ++
 pkg/workflow/create_code_scanning_alert.go     | 5 +++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkg/workflow/compiler_safe_outputs_job_test.go b/pkg/workflow/compiler_safe_outputs_job_test.go
index 66f42ab9fc4..7b96da8b4bf 100644
--- a/pkg/workflow/compiler_safe_outputs_job_test.go
+++ b/pkg/workflow/compiler_safe_outputs_job_test.go
@@ -1201,6 +1201,8 @@ func TestCreateCodeScanningAlertUploadJob(t *testing.T) {
 					"Upload job must only run when sarif_file is non-empty")
 				assert.Contains(t, uploadJob.If, string(constants.SafeOutputsJobName),
 					"Upload job if-condition must reference safe_outputs outputs")
+				assert.Contains(t, uploadJob.Permissions, "actions: read",
+					"Upload job permissions must include actions: read for private-repo SARIF uploads")
 
 				uploadSteps := strings.Join(uploadJob.Steps, "")
 
diff --git a/pkg/workflow/create_code_scanning_alert.go b/pkg/workflow/create_code_scanning_alert.go
index d5340a0942f..44b4fbff0f0 100644
--- a/pkg/workflow/create_code_scanning_alert.go
+++ b/pkg/workflow/create_code_scanning_alert.go
@@ -158,8 +158,9 @@ func (c *Compiler) buildCodeScanningUploadJob(data *WorkflowData) (*Job, error)
 	// The job only runs when the safe_outputs job exported a non-empty SARIF file path.
 	jobCondition := fmt.Sprintf("needs.%s.outputs.sarif_file != ''", constants.SafeOutputsJobName)
 
-	// Permissions: contents:read to checkout, security-events:write to upload SARIF
-	permissions := NewPermissionsContentsReadSecurityEventsWrite()
+	// Permissions: contents:read to checkout, security-events:write to upload SARIF,
+	// actions:read for upload-sarif workflow run lookup in private repos
+	permissions := NewPermissionsContentsReadSecurityEventsWriteActionsRead()
 
 	job := &Job{
 		Name:           string(constants.UploadCodeScanningJobName),