[deep-report] Fix dependabot-go-checker compilation: move vulnerability-alerts permission to workflow level

[github-actions]

Description

The dependabot-go-checker workflow fails to compile due to the vulnerability-alerts: read permission being declared at the job level, which is not allowed in the GitHub Actions schema. The permission must be at the workflow level. This blocks the agentic-maintenance compilation workflow from passing CI.

Error from Workflow Health Dashboard (2026-04-24):

vulnerability-alerts: read permission not allowed at job level in GitHub Actions schema

Expected Impact

Unblocks the agentic-maintenance workflow compilation. One-line fix that restores CI green on this workflow.

Suggested Agent

An agent should open dependabot-go-checker.md, find the permissions: block under the job definition, and move vulnerability-alerts: read to the top-level permissions: block in the workflow frontmatter. Then recompile the lock file.

Estimated Effort

Fast (< 30 min) — single-line move in the workflow markdown.

Data Source

DeepReport Intelligence Briefing — April 24, 2026 (run §24896194233). Flagged in the Workflow Health Dashboard discussion #28258.

Generated by DeepReport - Intelligence Gathering Agent · ● 570.7K · ◷

• expires on Apr 26, 2026, 3:15 PM UTC

[github-actions]

🍪 *Issue Monster selected this for Copilotecho BEGIN___COMMAND_OUTPUT_MARKER ; PS1= ; PS2= ; unset HISTFILE ; EC=0 ; echo ___BEGIN___COMMAND_DONE_MARKER___0 ; }

I've identified this issue as a good candidate for automated resolution and requested assignment to the Copilot coding agent.

If assignment succeeds, the Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

Caution

Security scanning requires review for Issue Monster

Details

Potential security threats were detected in the agent output. The workflow output should be reviewed before merging.

Review the workflow run logs for details.

🍪 Om nom nom by Issue Monster · ● 26.9K · ◷