Grant Smoke Claude artifact-read permission

[Copilot]

The scheduled Smoke Claude workflow was failing before agent execution because the agent job could not download the activation artifact. This updates the workflow permissions so the job can read Actions artifacts consistently with the other smoke workflows.

• Root cause

  • Smoke Claude granted contents, issues, and pull-requests access, but not actions: read.
  • The failure surfaced at Download activation artifact even though the activation job had already uploaded the artifact.

• Workflow change

  • Added actions: read to the source workflow in .github/workflows/smoke-claude.md.
  • Propagated the same permission into the compiled lockfile in .github/workflows/smoke-claude.lock.yml.

• Regression coverage

  • Extended scripts/ci/smoke-claude-workflow.test.ts to assert that both the source workflow and compiled workflow retain actions: read.

permissions:
  actions: read
  contents: read
  issues: read
  pull-requests: read

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	96.06%	96.13%	📈 +0.07%
Statements	95.89%	95.96%	📈 +0.07%
Functions	97.96%	97.96%	➡️ +0.00%
Branches	89.60%	89.64%	📈 +0.04%

📁 Per-file Coverage Changes (1 files)

File	Lines (Before → After)	Statements (Before → After)
src/config-writer.ts	83.0% → 85.6% (+2.54%)	83.0% → 85.6% (+2.54%)

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

[Copilot]

Pull request overview

Updates the Smoke Claude agentic workflow permissions so the agent job can consistently download Actions artifacts (specifically the activation artifact), aligning it with the other smoke workflows and preventing pre-agent failures.

Changes:

• Add actions: read to the source workflow permissions in .github/workflows/smoke-claude.md.
• Add actions: read to the compiled workflow’s agent job permissions in .github/workflows/smoke-claude.lock.yml.
• Extend the CI test to assert the presence of actions: read in both source and compiled workflow files.

Show a summary per file

File	Description
scripts/ci/smoke-claude-workflow.test.ts	Adds assertions intended to prevent regressions in workflow permissions/config.
.github/workflows/smoke-claude.md	Grants actions: read at the source workflow level.
.github/workflows/smoke-claude.lock.yml	Grants actions: read to the agent job so artifact download can succeed.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 1

[github-actions]

Smoke Test Results

• ✅ GitHub MCP: Retrieved PR fix(claude-token-optimizer): resolve workflow file via .lock.yml when .md lacks name field #3633 ("fix(claude-token-optimizer): resolve workflow file via .lock.yml...")
• ❌ GitHub.com Connectivity: Placeholder test not executed (pre-step data missing)
• ❌ File Write/Read: File not found at test path

Status: ⚠️ PARTIAL (MCP operational, external tests incomplete)

cc @lpcox @Copilot

📰 BREAKING: Report filed by Smoke Copilot

[lpcox]

@copilot recompile smoke claude

[Copilot]

@copilot recompile smoke claude

Recompiled smoke-claude and updated .github/workflows/smoke-claude.lock.yml in commit c8e9b76.

[lpcox]

@copilot compile smoke claude

[Copilot]

@copilot compile smoke claude

Compiled smoke-claude and ran post-processing; no file changes were produced because the lockfile is already up to date at c8e9b76.

[github-actions]

Smoke Test Results ✅

• ✅ GitHub API: 2 recent PRs verified (PR Refactor agent volume assembly into focused mount modules #3638, PR Refactor Squid config generation into focused modules #3637)
• ✅ GitHub check: playwright_check=✅ PASS confirmed
• ✅ File verification: Smoke test file exists and validates pass

Overall: All smoke test validations passed. Claude engine is ready.

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

✅ Smoke Test: Copilot BYOK (Offline) Mode — PASS

• ✅ MCP GitHub API — Retrieved PR Refactor agent volume assembly into focused mount modules #3638: "Refactor agent volume assembly into focused mount modules"
• ✅ GitHub.com connectivity — HTTP 200 from github.com
• ✅ File write/read — Verified /tmp/gh-aw/agent/smoke-test-copilot-byok-26342953577.txt content
• ✅ BYOK inference — Running in offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

Note: Running in BYOK offline mode (COPILOT_OFFLINE=true) via api-proxy → api.githubcopilot.com

PR Author: @Copilot | Assignees: @lpcox, @Copilot

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Merged PRs: ✅ Refactor agent volume assembly into focused mount modules; Refactor Squid config generation into focused modules
SafeInputs GH CLI: ❌ safeinputs-gh unavailable
Playwright: ✅ GitHub title verified
Tavily search: ❌ no search tool exposed
File write: ✅ /tmp/gh-aw/agent/smoke-test-codex-26342953575.txt
Bash readback: ✅
Discussion: ✅ #3654 commented
Build: ✅ npm ci && npm run build
Overall status: FAIL

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Gemini Engine Smoke Test Results

PR Titles Reviewed:

• Refactor agent volume assembly into focused mount modules (Refactor agent volume assembly into focused mount modules #3638)
• Refactor Squid config generation into focused modules (Refactor Squid config generation into focused modules #3637)

Test Results:

• ✅ GitHub MCP Testing
• ✅ GitHub.com Connectivity
• ✅ File Writing Testing
• ✅ Bash Tool Testing

Overall Status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

Service Connectivity Test Results

❌ Redis - Connection timeout (no PONG response)
❌ PostgreSQL pg_isready - No response from server
❌ PostgreSQL SELECT 1 - Not tested (pg_isready failed)

Overall Result: ❌ FAIL

Services on host.docker.internal are not reachable from the AWF sandbox.

🔌 Service connectivity validated by Smoke Services

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	All passed	✅ PASS
Node.js	execa	✅	All passed	✅ PASS
Node.js	p-limit	✅	All passed	✅ PASS
Rust	fd	✅	1 passed	✅ PASS
Rust	zoxide	✅	1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

---

Summary:

• ✅ All 18 projects compiled/built successfully
• ✅ All test suites passed
• ✅ All ecosystems validated (Bun, C++, Deno, .NET, Go, Java, Node.js, Rust)

Generated by Build Test Suite for issue #3632 · ● 10.1M · ◷