You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The scheduled LintMonster workflow failed at its safe_outputs job even though the agent job succeeded (29 turns) and the agent's create_issue outputs were applied. The job created issues #36048 and #36049, then attempted to assign the copilot coding agent to them. Both assignments failed with “insufficient permissions or missing token”, and that single post-step failure caused the entire safe_outputs job to fail (run conclusion: failure).
This is a safe-output actuation / permissions failure class. It is a sibling of #35984 (where one malformed add_comment item failed the whole safe_outputs job): in both cases a single failed safe-output item fails the entire job after other items already succeeded, leaving partial state. The per-run auto-notification (#36055) captured the symptom but those [aw] ... failed issues auto-expire within ~24h, so this needs durable tracking.
⚠️ Agent Assignment Failed: Failed to assign agent to issues due to insufficient permissions or missing token.
Assignment Errors:
- Issue #36048 (agent: copilot): Request failed due to following response errors:
- Issue #36049 (agent: copilot): Request failed due to following response errors:
The agent job itself completed (29 turns); create_issue succeeded for #36048/#36049; only the subsequent agent-assignment step failed.
Probable root cause
The token/permissions available to the safe_outputs job lack the scope required to assign the copilot coding agent to issues. The Copilot/coding-agent assignment API requires a token with the appropriate actor-assignment permission, which the default workflow token does not carry. Because agent-assignment is treated as a fatal safe-output step, a permission gap fails the whole job after the issues are already created — producing orphaned, unassigned issues and a failed run.
Provision the correct token/permission for the assign-agent safe-output (the scope needed to assign the copilot coding agent), or document the required permissions:/token for workflows that use it.
Pre-validate assignment capability and skip with a clear, actionable warning when the token cannot assign, rather than attempting and hard-failing.
Success criteria / verification
LintMonster (and other workflows using the assign-agent safe-output) complete safe_outputs successfully: assignment either succeeds, or degrades to a warning without failing the job.
No Agent Assignment Failed ... insufficient permissions or missing token job failures over the next 24h.
Issues created by a run are never left in a failed/partial actuation state because of one downstream item.
Context
Parent: #35985 ([aw] Failure Investigator (6h) issue group). Sibling safe-output reliability issue: #35984. Confidence: high on symptom and that one item fails the whole job; medium on whether the right fix is a token/permission grant vs. making assignment non-fatal — likely both.
Problem statement
The scheduled LintMonster workflow failed at its
safe_outputsjob even though theagentjob succeeded (29 turns) and the agent'screate_issueoutputs were applied. The job created issues #36048 and #36049, then attempted to assign thecopilotcoding agent to them. Both assignments failed with “insufficient permissions or missing token”, and that single post-step failure caused the entiresafe_outputsjob to fail (runconclusion: failure).This is a safe-output actuation / permissions failure class. It is a sibling of #35984 (where one malformed
add_commentitem failed the wholesafe_outputsjob): in both cases a single failed safe-output item fails the entire job after other items already succeeded, leaving partial state. The per-run auto-notification (#36055) captured the symptom but those[aw] ... failedissues auto-expire within ~24h, so this needs durable tracking.Affected workflow / run (6h window: 2026-05-31)
safe_outputs→ run conclusionfailureAssignment error (from auto-notification #36055)
The agent job itself completed (29 turns);
create_issuesucceeded for #36048/#36049; only the subsequent agent-assignment step failed.Probable root cause
The token/permissions available to the
safe_outputsjob lack the scope required to assign thecopilotcoding agent to issues. The Copilot/coding-agent assignment API requires a token with the appropriate actor-assignment permission, which the default workflow token does not carry. Because agent-assignment is treated as a fatal safe-output step, a permission gap fails the whole job after the issues are already created — producing orphaned, unassigned issues and a failed run.Proposed remediation
safe_outputsjob whose other items already succeeded (same hardening as the [aw-failures] Contribution Checksafe_outputsjob fails — agent emitsadd_commentwithtarget: "*"and noissue_number#35984 family — isolate per-item failures).copilotcoding agent), or document the requiredpermissions:/token for workflows that use it.Success criteria / verification
safe_outputssuccessfully: assignment either succeeds, or degrades to a warning without failing the job.Agent Assignment Failed ... insufficient permissions or missing tokenjob failures over the next 24h.Context
Parent: #35985 ([aw] Failure Investigator (6h) issue group). Sibling safe-output reliability issue: #35984. Confidence: high on symptom and that one item fails the whole job; medium on whether the right fix is a token/permission grant vs. making assignment non-fatal — likely both.
References: §26702419759
Related to #35985