Skip to content

[plan] Fix missing permissions declarations in example-permissions-warning and copilot-request workflows #18289

@github-actions

Description

@github-actions

Objective

Fix the 3 permissions actionlint findings in workflows that are missing required write permissions, as reported in discussion #18283.

Context

Actionlint reported 3 permissions issues:

  • 1 in example-permissions-warning.md
  • 2 in copilot-request workflows

These workflows perform operations that require write permissions but don't declare them in their frontmatter, which can cause runtime failures.

  • Tool: actionlint
  • Count: 3
  • Affected: example-permissions-warning.md (×1) + copilot-request workflows (×2)

Approach

  1. Run actionlint locally to identify the exact missing permissions:

    actionlint .github/workflows/example-permissions-warning.lock.yml
    # Also check compiled lock files for copilot-request workflows
    actionlint .github/workflows/copilot-request*.lock.yml
  2. For each affected .md workflow file, add the missing permissions to the frontmatter:

    ---
    permissions:
      issues: write      # example: if workflow creates/updates issues
      pull-requests: write  # example: if workflow interacts with PRs
    ---
  3. Use the principle of least privilege — only add the specific permissions that are actually needed

  4. Run make recompile to regenerate .lock.yml files

  5. Run make agent-finish to validate

  6. Re-run actionlint to confirm the permissions findings are resolved

Files to Modify

  • .github/workflows/example-permissions-warning.md — add missing write permission
  • Copilot-request workflow .md files — add missing write permissions

Acceptance Criteria

  • All 3 actionlint permissions findings are resolved
  • Permissions added follow least-privilege principle (only what's needed)
  • make recompile succeeds
  • make agent-finish passes
  • actionlint reports 0 permissions findings for affected workflows

Generated by Plan Command for issue #discussion #18283

  • expires on Feb 27, 2026, 6:53 AM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions