Fix rubocop workflow properly for push trigger

Instead of not running on the push trigger for Dependabot branches, which is not fully effective because it still fails on main when a merge is done by Dependabot due to `@dependabot merge` or similar command, this just specifies the required permissions in the workflow file, as is done e.g. in automatically generated CodeQL workflow files and as suggested in #6. I tested this in https://github.com/EliahKagan/hello-world. See EliahKagan/hello-world#14 including EliahKagan/hello-world@d565b84, EliahKagan/hello-world#15, and EliahKagan/hello-world#16.
EliahKagan · Sep 5, 2023 · 8d4de16 · 8d4de16
1 parent 4a5fad5
commit 8d4de16
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/.github/workflows/rubocop.yml b/.github/workflows/rubocop.yml
@@ -11,6 +11,12 @@ on: [push, pull_request]
 jobs:
   rubocop:
     runs-on: ubuntu-latest
+
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
     strategy:
       fail-fast: false
 
@@ -51,7 +57,7 @@ jobs:
         bundle exec rubocop --require code_scanning --format progress --format CodeScanning::SarifFormatter -o rubocop.sarif
 
     - name: Upload Sarif output
-      if: (success() || failure()) && (github.event_name != 'push' || !startsWith(github.ref, 'refs/heads/dependabot/'))
+      if: success() || failure()
       uses: github/codeql-action/upload-sarif@v2
       with:
         sarif_file: rubocop.sarif