From 59245fd15994466f2d1c292d5a0eaa4687bf28ee Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Fri, 27 Feb 2026 17:39:20 +0100
Subject: [PATCH] Add missing permissions to access feature flags

---
 .github/workflows/codeql.yml                       | 2 ++
 .github/workflows/debug-artifacts-failure-safe.yml | 2 ++
 .github/workflows/debug-artifacts-safe.yml         | 2 ++
 .github/workflows/python312-windows.yml            | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 0f7b59424..0b32bc20e 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -31,6 +31,8 @@ jobs:
 
     permissions:
       contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
 
     steps:
     - uses: actions/checkout@v6
diff --git a/.github/workflows/debug-artifacts-failure-safe.yml b/.github/workflows/debug-artifacts-failure-safe.yml
index 4d0433535..6c456ea88 100644
--- a/.github/workflows/debug-artifacts-failure-safe.yml
+++ b/.github/workflows/debug-artifacts-failure-safe.yml
@@ -41,6 +41,8 @@ jobs:
       CODEQL_ACTION_TEST_MODE: true
     permissions:
       contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
     timeout-minutes: 45
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/debug-artifacts-safe.yml b/.github/workflows/debug-artifacts-safe.yml
index 7886d44c7..7c1d8da64 100644
--- a/.github/workflows/debug-artifacts-safe.yml
+++ b/.github/workflows/debug-artifacts-safe.yml
@@ -40,6 +40,8 @@ jobs:
     timeout-minutes: 45
     permissions:
       contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository
diff --git a/.github/workflows/python312-windows.yml b/.github/workflows/python312-windows.yml
index 79602d056..880ecd578 100644
--- a/.github/workflows/python312-windows.yml
+++ b/.github/workflows/python312-windows.yml
@@ -26,6 +26,8 @@ jobs:
     timeout-minutes: 45
     permissions:
       contents: read
+      # We currently need `security-events: read` to access feature flags.
+      security-events: read
     runs-on: windows-latest
 
     steps: