The dependabot-go-checker.md workflow fails to compile due to a missing GitHub permission required by the dependabot toolset.
Error
.github/workflows/dependabot-go-checker.md:1:1: error: Missing required permissions for GitHub toolsets:
- vulnerability-alerts: read (required by dependabot)
Steps to Reproduce
agenticworkflows compile --workflows "dependabot-go-checker.md"
Root Cause
The workflow uses toolsets: [default, dependabot] but does not declare vulnerability-alerts: read in its permissions block. The current permissions are:
permissions:
contents: read
actions: read
issues: read
pull-requests: read
security-events: read
Fix
Add the missing permission to the frontmatter:
permissions:
contents: read
actions: read
issues: read
pull-requests: read
security-events: read
vulnerability-alerts: read # ← add this
Impact
- Severity: High — the workflow cannot be compiled, so any changes to the
.md file will not take effect (the .lock.yml is not regenerated)
- Frequency: Always — reproducible on every compile attempt
- CI:
make recompile or make agent-finish will fail for this workflow
Environment
- Repository: github/gh-aw
- Detected by: Daily CLI Tools Exploratory Tester run §24818449170
- Date: 2026-04-23
Generated by Daily CLI Tools Exploratory Tester · ● 2.7M · ◷
The
dependabot-go-checker.mdworkflow fails to compile due to a missing GitHub permission required by thedependabottoolset.Error
Steps to Reproduce
agenticworkflows compile --workflows "dependabot-go-checker.md"Root Cause
The workflow uses
toolsets: [default, dependabot]but does not declarevulnerability-alerts: readin itspermissionsblock. The current permissions are:Fix
Add the missing permission to the frontmatter:
Impact
.mdfile will not take effect (the.lock.ymlis not regenerated)make recompileormake agent-finishwill fail for this workflowEnvironment