Problem using GitHub Apps to auth writes to discussions

[justinhuangai]

What happens

When a workflow uses GitHub App tokens with discussions: write permission, gh aw compile emits permission-discussions: write as an input to actions/create-github-app-token. The action rejects it:

Warning: Unexpected input(s) 'permission-discussions', valid inputs are ['app-id', 'private-key', ...]

The warning is harmless at runtime (the input is silently ignored), but it indicates a code path that generates invalid configuration.

Originally reported in #18921. Scout analysis (triggered by @pelikhan) confirmed this is not an upstream bug — it is a gh-aw mapping issue.

What should happen

PermissionDiscussions should not be mapped to an actions/create-github-app-token input. The GitHub REST API for creating installation access tokens does not support discussions as a permission scope — it only exists at the GitHub App configuration level, not at the token level.

Where in the code

Invalid mapping:

• pkg/workflow/safe_outputs_app.go:235-237 — maps PermissionDiscussions to permission-discussions:

if level, ok := permissions.Get(PermissionDiscussions); ok {
    fields["permission-discussions"] = string(level)
}

Test asserting incorrect behavior:

• pkg/workflow/safe_outputs_app_test.go:152-153 — asserts permission-discussions: write should be present in output

Related: permission-attestations may have the same issue:

• actions/create-github-app-token#310 reports the same pattern for attestations
• If a similar mapping block exists for PermissionAttestations in safe_outputs_app.go, it should be removed too

Evidence

• Scout research report on actions/create-github-app-token warning #18921 confirmed the root cause and traced the code path
• actions/create-github-app-token maintainer (@parkerbxyz) confirmed in #307 that discussions is not a valid input
• @pelikhan acknowledged in missing-tool safe output #307: "Indeed I was confusing App permissions with Action permissions..."

Proposed fix

1. Remove the 3-line PermissionDiscussions mapping block in safe_outputs_app.go:235-237
2. Add PermissionDiscussions to the comment listing permissions with no GitHub App equivalent
3. Check if PermissionAttestations has the same pattern — if so, remove it too
4. Update test assertions in safe_outputs_app_test.go to remove expectations for the deleted mappings
5. Run make agent-finish to validate

[pelikhan]

I beleive the analysis is wrong and this is an upstream error.

[justinhuangai]

Ah thanks @pelikhan, that makes sense — the App itself supports discussions permissions, so the action should too.

Is #307 on their side being tracked? Or is there a workaround needed on the gh-aw side in the meantime?

[pelikhan]

I am trying to figure out how to fix this app. If we do not emit this permissions, the token minted by the app won't be able to write discussions.

Please do add a note on that issue for tracking.

[justinhuangai]

I am trying to figure out how to fix this app. If we do not emit this permissions, the token minted by the app won't be able to write discussions.

Please do add a note on that issue for tracking.

Sure — just to confirm, you mean adding a note on actions/create-github-app-token#307?