fix: grant packages:read + security-events:write to published-images scan

[jnewton03]

Summary

Fixes the daily Published Images Vulnerability Scanning scheduled workflow
failing with startup_failure since 2026-04-17.

Root cause: On 2026-04-17, liquibase/build-logic added packages: read and
security-events: write to the vulnerability-scan job-level permissions in
reusable-vulnerability-scan.yml. GitHub's reusable-workflow contract requires
the caller's effective permissions to be a superset of what the called reusable's
jobs declare. The vulnerability-scan caller job had no job-level permissions, so
it inherited the workflow-level block, which was missing both scopes. Every
scheduled run has produced this error since then:

The nested job 'vulnerability-scan' is requesting 'packages: read, security-events: write',
but is only allowed 'packages: none, security-events: none'.

Fix: Add both missing permissions at the workflow level in
.github/workflows/trivy-scan-published-images.yml, matching the pattern already
used in the sibling trivy.yml workflow.

Failing runs addressed

• https://github.com/liquibase/docker/actions/runs/24661642065 (most recent)
• Also fixes the identical failures on 2026-04-17 and 2026-04-18/19

Not in scope

• PR refactor(ci): rewire workflows to call build-logic reusables [DAT-22876] #539 (test.yml / trivy.yml startup failures) — caused by secrets: inherit
  misplaced inside on: workflow_call: in the dat-22876-reusables branch of
  build-logic. Already fixed upstream; those runs self-heal on next PR push.

Test plan

• Verify this PR's own workflows start cleanly
• After merge, manually trigger:
  gh workflow run trivy-scan-published-images.yml --repo liquibase/docker -f max_tags_to_scan=1
  and confirm jobs start (not startup_failure at 1s)
• Confirm next scheduled run (Mon–Fri 10:00 UTC) succeeds

🤖 Generated with Claude Code

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e6e6b3b5-aa09-413e-81f5-e03ab83d5a99

📥 Commits

Reviewing files that changed from the base of the PR and between 6ed1af4 and 65193ad.

📒 Files selected for processing (1)

• .github/workflows/trivy-scan-published-images.yml

---

📝 Walkthrough

Walkthrough

The pull request updates workflow-level permissions in the Trivy vulnerability scanning workflow file. Two new permissions are added to allow image pulling from GHCR and security event reporting, while the existing id-token permission is retained with reformatted comment spacing.

Changes

Cohort / File(s)	Summary
Workflow Permissions Configuration .github/workflows/trivy-scan-published-images.yml	Added packages: read permission for GHCR image pulling and security-events: write permission for vulnerability reporting. Retained id-token: write with reformatted comment spacing.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• fix: remove SARIF uploads from published images workflow #471: Modifies the same Trivy workflow and adjusts the security-events: write permission (removes it in that PR, while this PR adds it).
• feat: Scout JSON + CVE dispatch for VEX automation #525: Updates the same workflow file with permission adjustments and CVE dispatch logic integration.

Suggested labels

TypeCI

Suggested reviewers

• jandroav
• sayaliM0412
• rberezen

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title directly and specifically describes the main change: granting two missing permissions (packages:read and security-events:write) to the published-images scan workflow.
Description check	✅ Passed	The PR description is comprehensively related to the changeset, providing root cause analysis, the specific fix applied, failing runs addressed, and a clear test plan.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/published-images-scan-permissions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude finished @jnewton03's task in 26s —— View job

---

Code Review

Task Checklist

• Review PR changes and context
• Verify fix addresses the root cause
• Check alignment with referenced pattern

Analysis

LGTM - The fix correctly addresses the reported issue.

Why the fix works:

• Adds packages: read (needed for reusable workflow to pull images from GHCR) and security-events: write (required unconditionally by reusable workflow)
• Aligns with the GitHub reusable-workflow permission contract: caller's effective permissions must be a superset of what called jobs declare
• Fixes the exact error: "The nested job 'vulnerability-scan' is requesting 'packages: read, security-events: write', but is only allowed 'packages: none, security-events: none'."

Pattern consistency:

• The fix correctly distinguishes packages: read (this workflow only pulls published images) vs packages: write in trivy.yml (which builds and pushes)
• Comments clearly explain the purpose of each permission

No issues found:

• Permissions are minimal and correct
• Comments improve clarity
• Fix is scoped to the published-images workflow only (PR refactor(ci): rewire workflows to call build-logic reusables [DAT-22876] #539 addresses other workflows separately)

---