fix(ci): grant checks:write to CI-unit-tests-asan-coverage

The workflow's permissions block declared only `contents: read` and `id-token: write`. The final step in the job is a `LouisBrunner/checks-action@v2.0.0` call that updates the check-run status. POSTing a check run requires `checks:write`, and without it the action fails with: ##[error]Resource not accessible by integration Every run since at least 2026-05-26 has failed at this step even when build + ASAN unit tests + LCOV coverage capture + Codecov upload all succeeded -- the workflow has been showing red on the dashboard for purely cosmetic reasons. Found while investigating the #5828 fan-out cascade's red lines (this workflow isn't in the fan-out, but the same cascade re-runs it, so it appeared in the same failure list).
1 month ago · 30b2553398
parent a94ba88a20
commit 30b2553398
1 changed files with 8 additions and 0 deletions
--- a/.github/workflows/CI-unit-tests-asan-coverage.yml
+++ b/.github/workflows/CI-unit-tests-asan-coverage.yml
@ -80,6 +80,14 @@ jobs:
    permissions:
      contents: read
      id-token: write
+      # `LouisBrunner/checks-action@v2.0.0` (last step) needs to POST
+      # check-runs to update the workflow's check status; without
+      # checks:write it fails with "Resource not accessible by
+      # integration" on every run, which made the workflow show red
+      # even when build, tests, coverage capture, and Codecov upload
+      # all succeeded. Pre-dates this PR but found while investigating
+      # the #5828 cascade's red lines.
+      checks: write

    steps: