From 63638dbe74a4296e32f86cb08d693e2fa0951e82 Mon Sep 17 00:00:00 2001
From: Ray <ray@cachekit.io>
Date: Fri, 19 Dec 2025 08:59:57 +1100
Subject: [PATCH] ci: add checks:write permission for rustsec/audit-check

The rustsec/audit-check action creates check runs via the GitHub
Checks API, which requires checks:write permission. Without it,
the action fails with "Resource not accessible by integration".
---
 .github/workflows/security-fast.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/security-fast.yml b/.github/workflows/security-fast.yml
index 61faaa9..45d7f72 100644
--- a/.github/workflows/security-fast.yml
+++ b/.github/workflows/security-fast.yml
@@ -9,7 +9,8 @@ on:
 permissions:
   contents: read
   pull-requests: read
-  security-events: write  # Required for rustsec/audit-check SARIF upload
+  checks: write  # Required for rustsec/audit-check to create check runs
+  security-events: write
 
 env:
   CARGO_TERM_COLOR: always