fix(permissions): reject invalid id-token: read permission#16685
Merged
fix(permissions): reject invalid id-token: read permission#16685
Conversation
…validation The id-token permission only supports "write" and "none" values, not "read". This is because id-token is used for OIDC token requests, which either allows requesting tokens (write) or doesn't (none) - there is no read-only mode. Changes: - Updated main_workflow_schema.json to only allow "write" and "none" for id-token - Updated github-workflow.json to use explicit enum instead of permissions-level ref - Added regression tests for id-token permission validation Co-authored-by: eaftan <4733401+eaftan@users.noreply.github.com>
The github-workflow.json schema is the secondary schema used for GitHub Actions YAML validation. It also needs to be updated to only allow "write" and "none" for the id-token permission. Co-authored-by: eaftan <4733401+eaftan@users.noreply.github.com>
…ompilation failure The idtoken_write_warning_test.go integration test has a test case for id-token: read. Now that id-token: read is invalid, the test needs to be updated to expect compilation failure instead of checking for warnings. Co-authored-by: eaftan <4733401+eaftan@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Fix invalid permission handling for id-token
fix(permissions): reject invalid id-token: read permission
Feb 19, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes an incorrect schema definition for the id-token permission. The OIDC token permission only supports binary access control (write or none), but the schemas were incorrectly allowing read as a valid value. The fix ensures that only write and none are accepted, with proper validation and error reporting.
Changes:
- Updated JSON schemas to restrict
id-tokenpermission to["write", "none"]instead of["read", "write", "none"] - Added comprehensive test coverage for
id-tokenpermission validation - Updated integration test to verify that
id-token: readnow correctly fails compilation
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| pkg/workflow/schemas/github-workflow.json | Changed id-token from using generic permissions-level reference to inline enum with only ["write", "none"] |
| pkg/parser/schemas/main_workflow_schema.json | Updated id-token enum from ["read", "write", "none"] to ["write", "none"] and improved description to clarify read is not supported |
| pkg/parser/schema_test.go | Added three test cases validating: invalid id-token: read, valid id-token: write, and valid id-token: none |
| pkg/workflow/idtoken_write_warning_test.go | Updated test structure to handle compilation failure cases, changed id-token: read test case to expect compilation failure instead of no warning |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
id-tokenpermission only supportswriteandnonevalues. OIDC token requests are binary—allowed or not—there is no read-only mode. The schema was incorrectly allowingread.Changes
Schema fix: Updated
id-tokenenum from["read", "write", "none"]to["write", "none"]in both:pkg/parser/schemas/main_workflow_schema.jsonpkg/workflow/schemas/github-workflow.jsonTests: Added regression tests for id-token validation, updated integration test to expect compilation failure for invalid
id-token: readBefore
After
Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw g/sliceutil/slic^From [0-9a-f]\{40\} 64/bin/go git init�� GOMODCACHE ache/go/1.25.0/xGO111MODULE(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha g_.a GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3123-30363/test-3488128247/.github/workflows GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE ortcfg(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha auto-triage-issues.md GO111MODULE 3674215/b001=> GOINSECURE GOMOD GOMODCACHE go env F-mS/UgOg56zOGwv7F1CZF-mS GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha brave.md stmain.go 0/x64/bin/node GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet t-ha�� SameOutput1638207662/001/stability-test.md GO111MODULE 3674215/b294/vet.cfg GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha /tmp/shared-actions-test2884592423 rev-parse /usr/bin/git -json GO111MODULE 64/bin/go git add .github/workflows/test.md sh /usr/bin/git npx prettier --cgit GOPROXY 64/bin/go git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 2422607599/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu1(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE om/testorg/testrepo.git GOINSECURE GOMOD GOMODCACHE git init�� GOPATH GOPROXY /usr/bin/git GOSUMDB GOWORK 64/bin/go git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha b.actor }}, Repo: ${{ github.repository }} go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel sh /usr/bin/git "prettier" --chegit GOPROXY 64/bin/go git(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go m/_n�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE WdoVr4iAs4gc env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha bot-detection.md GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env bQ29M6A5H GO111MODULE 3674215/b274/vet.cfg GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha blog-auditor.md GO111MODULE 3674215/b390/logger.test GOINSECURE ngutil GOMODCACHE 3674215/b390/logger.test e=/t�� cwhvNOp8h GO111MODULE(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE IKEP8dB/iAJz33n4-extld=gcc(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env tmatter-with-arrays.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env hub/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path heck '**/*.cjs' GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/repoutil/repoutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/repoutil/repoutil_test.go env HpgR/N9y3Aq49J-p-errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 7354720/b381/imp-trimpath(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 3488128247/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE FyPOPt7/hAqieucyA4npJ9bo6g4b(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE F5/4qLQS-oeomrMmfGrEiad/6CmI5DOkrev-parse env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD erignore go env -json GO111MODULE 64/bin/go GOINSECURE 2b9326c486c8c69e-V=full GOMODCACHE go(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 7354720/b346/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/math-o GOMODCACHE go(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build1363674215/b368/cli.test /tmp/go-build1363674215/b368/cli.test -test.testlogfile=/tmp/go-build1363674215/b368/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name heck '**/*.cjs' GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env GOPATH); \ if coGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/user/usr/bin/gh gh api user --jq .login(http block)/usr/bin/gh gh api user --jq .login GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go k/gh�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD erignore go(http block)/usr/bin/gh gh api user --jq .login .json..." GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go k/gh�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD erignore go(http block)If you need me to access, download, or install something from one of these locations, you can either:
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.