Skip to content

feat(agent-token): request workflows, issues, packages:read in minted tokens#620

Merged
ExtraToast merged 1 commit into
mainfrom
fix/minter-request-workflows-issues-packages
Jun 8, 2026
Merged

feat(agent-token): request workflows, issues, packages:read in minted tokens#620
ExtraToast merged 1 commit into
mainfrom
fix/minter-request-workflows-issues-packages

Conversation

@jorisjonkers-dev-agents

Copy link
Copy Markdown
Contributor

What changed

GitHubAppInstallationTokenClient.REQUESTED_PERMISSIONS now requests issues:write, workflows:write, and packages:read in addition to the existing contents/pull_requests/actions:write.

Why

Minted installation tokens were scoped to contents/pull_requests/actions:write only. Even with the App granted broader permissions, GitHub narrows a token to the requested set — so runner tokens could not:

  • push .github/workflows/* (blocking the required Pipeline Complete pipeline in every repo),
  • edit or comment on tracking issues/milestones,
  • resolve published dev.extratoast.* / @extratoast packages for local builds.

administration remains deliberately unrequested (rulesets and repo settings stay operator-owned), and packages is read-only — artifact publishing is done by the release workflow's own GITHUB_TOKEN, not by runner tokens.

Scope

  • GitHubAppInstallationTokenClient.kt — widened REQUESTED_PERMISSIONS + KDoc.
  • GitHubAppInstallationTokenClientTest.kt — request/response assertions + narrowedPermissions expectations updated to the new set.
  • platform/cluster/flux/apps/agents/GITHUB-APP-SETUP.md — manifest default_permissions, troubleshooting, and fix steps updated; "do not grant Administration" retained.

Activation

Takes effect once (1) the App's repository permissions are widened + approved on each installation, and (2) a fresh token is minted (drop the cached /tmp/.gh-app-token or recreate the runner Pod). No assistant-api restart needed beyond deploying this change.

Verification

Pure unit-test change (no Testcontainers). Tests updated for parity but not run locally in this session — relies on CI (Pipeline Complete, once activated) and the follow-up session that picks up the re-minted token.

Versioning impact

None (no published artifact); enables the agent to author the versioning/CI infrastructure in later PRs.

Part of #605. Closes #606.

… tokens

Minted installation tokens carried only contents/pull_requests/actions:write,
so runner tokens could not push .github/workflows files (blocking the required
Pipeline Complete pipeline), edit/comment tracking issues, or resolve published
packages for local builds. GitHubAppInstallationTokenClient.REQUESTED_PERMISSIONS
now also requests issues:write, workflows:write, and packages:read.

administration is still never requested (rulesets/settings stay operator-owned)
and packages stays read-only — artifact publishing is done by the release
workflow's own GITHUB_TOKEN, not by runner tokens. Tests and the App setup doc
(manifest, troubleshooting, fix steps) are updated to the widened set.

Takes effect once the App permissions are approved on each installation and a
fresh token is minted (cached token dropped).

Part of #605. Closes #606.
@jorisjonkers-dev-agents jorisjonkers-dev-agents Bot added enhancement New feature or request java Pull requests that update java code labels Jun 8, 2026
@ExtraToast ExtraToast merged commit a8152d2 into main Jun 8, 2026
42 checks passed
jorisjonkers-dev-agents Bot pushed a commit that referenced this pull request Jun 8, 2026
#620 is merged and the minter now grants workflows/issues, so: workflow pushes
work, repo-template#1 is merged, issues are editable with a per-repo token, and
personal-stack already merges (full.yml already emits the Pipeline Complete job
the ruleset requires). Records the narrowed remaining #608 scope (fold the three
separate PR workflows into the aggregator) and that #610 waits on M1 artifacts.

Part of #605.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request java Pull requests that update java code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Enable workflows permission end-to-end

1 participant