From 9063a0798f61fe2d797d29d8cee02ab9a814857d Mon Sep 17 00:00:00 2001
From: Paul Macdonnell <pgmac@pgmac.net>
Date: Mon, 4 May 2026 09:44:51 +1000
Subject: [PATCH 1/2] fix(ci): grant pull-requests:write to sbom reusable
 workflow caller
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

pg-actions commit f283f3f added pull-requests:write to the
GHAS-dependency-scan job. When a caller specifies explicit permissions,
the called workflow is restricted to only those permissions — GitHub
fails the workflow at startup if the called workflow requests more.

Adds pull-requests:write to the sbom.yml job-level permissions so the
reusable workflow can post PR comments again.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/sbom.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
index 741daff..9fe81b0 100644
--- a/.github/workflows/sbom.yml
+++ b/.github/workflows/sbom.yml
@@ -16,3 +16,4 @@ jobs:
       security-events: write
       id-token: write
       actions: read
+      pull-requests: write

From 8da1f9f697d8e995c5d2c0636bb6c96bce34396c Mon Sep 17 00:00:00 2001
From: Paul Macdonnell <pgmac@pgmac.net>
Date: Mon, 4 May 2026 10:41:29 +1000
Subject: [PATCH 2/2] chore: add mise.toml so gh cli is available in reusable
 sbom workflow

The pg-actions reusable sbom.yml runs jdx/mise-action which reads the
calling repo's mise.toml. Without it, gh is not installed and the
attestation verify step fails.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 mise.lock | 40 ++++++++++++++++++++++++++++++++++++++++
 mise.toml |  5 +++++
 2 files changed, 45 insertions(+)
 create mode 100644 mise.lock
 create mode 100644 mise.toml

diff --git a/mise.lock b/mise.lock
new file mode 100644
index 0000000..94d75c4
--- /dev/null
+++ b/mise.lock
@@ -0,0 +1,40 @@
+# @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html
+
+[[tools.gh]]
+version = "2.91.0"
+backend = "aqua:cli/cli"
+
+[tools.gh."platforms.linux-arm64"]
+checksum = "sha256:ccbed39c472d3dc1c501d1e164a9cffd934c5f6fce1012811a1a59d24cb7d7c6"
+url = "https://github.com/cli/cli/releases/download/v2.91.0/gh_2.91.0_linux_arm64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.linux-arm64-musl"]
+checksum = "sha256:ccbed39c472d3dc1c501d1e164a9cffd934c5f6fce1012811a1a59d24cb7d7c6"
+url = "https://github.com/cli/cli/releases/download/v2.91.0/gh_2.91.0_linux_arm64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.linux-x64"]
+checksum = "sha256:304a0d2460f4a8847d2f192bad4e2a32cd9420d28716e7ae32198181b65b5f9c"
+url = "https://github.com/cli/cli/releases/download/v2.91.0/gh_2.91.0_linux_amd64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.linux-x64-musl"]
+checksum = "sha256:304a0d2460f4a8847d2f192bad4e2a32cd9420d28716e7ae32198181b65b5f9c"
+url = "https://github.com/cli/cli/releases/download/v2.91.0/gh_2.91.0_linux_amd64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.macos-arm64"]
+checksum = "sha256:20446cd714d9fa1b69fbd410deade3731f38fe09a2b980c8488aa388dd320ada"
+url = "https://github.com/cli/cli/releases/download/v2.91.0/gh_2.91.0_macOS_arm64.zip"
+provenance = "github-attestations"
+
+[tools.gh."platforms.macos-x64"]
+checksum = "sha256:8806784f93603fe6d3f95c3583a08df38f175df9ebc123dc8b15f919329980e2"
+url = "https://github.com/cli/cli/releases/download/v2.91.0/gh_2.91.0_macOS_amd64.zip"
+provenance = "github-attestations"
+
+[tools.gh."platforms.windows-x64"]
+checksum = "sha256:ced3e6f4bb5a9865056b594b7ad0cf42137dc92c494346f1ca705b5dbf14c88e"
+url = "https://github.com/cli/cli/releases/download/v2.91.0/gh_2.91.0_windows_amd64.zip"
+provenance = "github-attestations"
diff --git a/mise.toml b/mise.toml
new file mode 100644
index 0000000..3574f05
--- /dev/null
+++ b/mise.toml
@@ -0,0 +1,5 @@
+[settings]
+lockfile = true
+
+[tools]
+gh = "2.91.0"