chore(deps): update schemastore digest to 0f07d9d

[renovate]

This PR contains the following updates:

Package	Update	Change
schemastore (changelog)	digest	ba06047 → 0f07d9d

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday (* 0-4,22-23 * * 1-5)
  • Only on Sunday and Saturday (* * * * 0,6)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ✅ Safe

🔍 Release Content Analysis

SchemaStore digest update: ba06047 → 0f07d9d (May 25 → June 1, 2026)

Changes within this range that affect ghasec:

• src/schemas/json/github-workflow.json — one additive change (commit dbc0fd1): added "code-quality" as a valid permission scope, inserted alphabetically between "checks" and "contents". This reflects a new GitHub-native permission type.
• src/schemas/json/github-action.json — no changes in this range.
• All other changes in the SchemaStore range are unrelated schemas (not consumed by ghasec).

No breaking changes. No removals. The sole change is purely additive.

🎯 Impact Scope Investigation

How SchemaStore is consumed:

• SchemaStore is a git submodule used exclusively at code-generation time (go generate ./rules/invalid-workflow/ ./rules/invalid-action/).
• It is not read at runtime. The compiled binary depends on the committed rules/invalid-workflow/generated.go and rules/invalid-action/generated.go, not the submodule directly.

What this PR changes:

• Only the submodule pointer in .gitmodules / .git/modules/schemastore. No Go source files are touched.
• rules/invalid-workflow/generated.go and rules/invalid-action/generated.go are not regenerated in this PR — binary behavior is completely unchanged.

Existing false-positive gap (pre-existing, not introduced by this PR):

• Workflows using permissions: code-quality: read/write/none would currently be flagged as unknown permission keys by ghasec. This was true before this PR and remains true after — merging this PR does not worsen or fix it.
• Fixing it requires a follow-up go generate ./rules/invalid-workflow/ after this submodule pointer lands.

Dependency impact:

• cmd/gen/convert_test.go loads schema files from the submodule at test time. The additive code-quality enum entry would be picked up if tests are run with the updated submodule, but this only adds coverage and does not break existing assertions.

💡 Recommended Actions

• Merge this PR as-is. The submodule pointer update is safe and contains no breaking changes.
• Follow-up (recommended): Run go generate ./rules/invalid-workflow/ ./rules/invalid-action/ after merging and open a separate PR with the regenerated generated.go. This will teach ghasec about the new code-quality permission and eliminate false positives for users already using it.
• No configuration changes, migration steps, or manual code edits are required to merge safely.

🔗 Reference Links

• SchemaStore commit comparison (ba06047..0f07d9d)
• Commit adding code-quality permission (dbc0fd1)
• github-workflow.json (current HEAD)

Generated by koki-develop/claude-renovate-review