Conversation
…-419d-4127-bff5-ebc8cea5740e
Contributor
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/393abbf4-cead-4eef-87e8-c28a0a8c08df
Copilot
AI
changed the title
[WIP] Fix failing GitHub Actions workflow Integration: Workflow Misc Part 2
Fix filterJobLevelPermissions dropping explicit empty permissions block
Mar 24, 2026
pelikhan
deleted the
copilot/fix-github-actions-workflow-99e9f472-419d-4127-bff5-ebc8cea5740e
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When a workflow specifies
permissions: {}, the agent job was emitted without anypermissions:block, causing it to silently inherit workflow-level permissions instead of enforcing the explicit empty grant.Root cause
filterJobLevelPermissionsparses the raw YAML string throughNewPermissionsParser → ToPermissions → RenderToYAML. Forpermissions: {}, this roundtrip produces an emptyPermissionsstruct withexplicitEmpty: false, soRenderToYAMLreturns""and the permissions block is dropped entirely.Fix
Add an early-exit check in
filterJobLevelPermissions: when the parsed/rendered result is empty but the raw input is"permissions: {}", return"permissions: {}"to preserve the user's explicit intent.This preserves the existing behaviour for the other
rendered == ""case (permissions containing only GitHub App-only scopes that are filtered out), which should still emit no block.Warning
Firewall rules blocked me from connecting to one or more addresses (expand for details)
I tried to connect to the following addresses, but was blocked by firewall rules:
https://api.github.com/graphql/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git *.json' '!../../git GO111MODULE k/_temp/uv-pytho--show-toplevel git(http block)/usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw infocmp /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git sh git(http block)https://api.github.com/orgs/test-owner/actions/secrets/usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c npx prettier --check '**/*.cjs' GOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh(http block)https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha user.name Test User /usr/bin/git json' --ignore-pgit GO111MODULE ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/infocmp th .prettierignogit GO111MODULE node infocmp(http block)/usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha "prettier" --write 'scripts/**/*.js' --ignore-path .prettierignore --log-level=error git /home/REDACTED/work/node_modules/.bin/node tierignore node /usr/bin/git node /hom�� --write ../../../**/*.json /usr/bin/git --ignore-path ../../../.prettirev-parse /usr/bin/git git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v3/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha "prettier" --write '../../../**/*.json' '!../../../pkg/workflow/-errorsas go ache/node/24.14.0/x64/bin/node rror GO111MODULE 64/bin/go /tmp/go-build2716925945/b408/console.test t-27�� bility_SameInputSameOutput470757660/001/stability-test.md -test.v=true /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git son ignore go /usr/bin/git git rev-�� rite '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json git k/gh-aw/gh-aw/node_modules/.bin/node --show-toplevel go /usr/bin/git git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v5/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE h GOINSECURE GOMOD GOMODCACHE go env *.json' '!../../--workflow GO111MODULE nfig/composer/ve--limit GOINSECURE GOMOD(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha secrets.TOKEN go /usr/bin/git ../pkg/workflow/git GO111MODULE 0/x64/bin/bash git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ules/.bin/node git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel kmIpjEVxgPIJbBLrkR/yyjxJESSHc308remote.origin.url /usr/bin/git s,@VERSION@,8.3,git GOPROXY g_.a git rev-�� --show-toplevel go /usr/bin/git te '../../../**/git GO111MODULE /bin/sh git(http block)https://api.github.com/repos/actions/checkout/git/ref/tags/v6/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /tmp/go-build2716925945/b443/testutil.test -importcfg /usr/bin/git -s -w -buildmode=exe git add .github/workflows/test.md -extld=gcc /opt/hostedtoolcache/node/24.14.0/x64/bin/node -json GO111MODULE ode_modules/.bin--show-toplevel node(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha uts.version -trimpath /usr/bin/git -p main -lang=go1.25 git rev-�� --show-toplevel -dwarf=false /usr/bin/git go1.25.0 -c=4 -nolocalimports git(http block)/usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git rite '**/*.cjs' git GO111MODULE cal/bin/sh git rev-�� --show-toplevel find /usr/bin/git te 'scripts/**/*git -lname .cfg git(http block)https://api.github.com/repos/actions/github-script/git/ref/tags/v8/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE de GOINSECURE GOMOD GOMODCACHE npm run lint:cjs GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /hom�� re --log-level=error **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.prettierignore go(http block)/usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build2716925945/b420/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/logger/doc.go /home/REDACTED/work/gh-aw/gh-aw/pkg/logger/logger.go er prettier --check 64/bin/go --ignore-path .prettierignore 64/bin/go go(http block)https://api.github.com/repos/actions/setup-go/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha y gcc /usr/bin/git js/**/*.json' --git c 64/bin/go git -C /tmp/gh-aw-test-runs/20260324-160943-43734/test-1029714291 rev-parse /usr/bin/git @{u} GO111MODULE ache/go/1.25.0/x--show-toplevel git(http block)/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --noprofile git /home/REDACTED/node_modules/.bin/node /ref/tags/v8 64/pkg/tool/linurev-parse /usr/bin/git node /hom�� --write **/*.cjs /home/REDACTED/work/gh-aw/gh-aw/node_modules/.bin/sh **/*.json --ignore-path ../../../.pretti--show-toplevel sh(http block)https://api.github.com/repos/actions/setup-node/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/go-build2716925945/b447/timeutil.test -importcfg /usr/bin/git -s -w -buildmode=exe git rev-�� --show-toplevel -extld=gcc /usr/bin/git -json GO111MODULE es/.bin/node git(http block)/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --noprofile git /home/REDACTED/work/gh-aw/node_modules/.bin/node tags/v6 64/pkg/tool/linurev-parse /usr/bin/git node /hom�� --write **/*.cjs /home/REDACTED/work/gh-aw/gh-aw/actions/setup/node_modules/.bin/sh **/*.json --ignore-path ../../../.pretti--show-toplevel sh(http block)https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha npx prettier --write '**/*.cjs' '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GOPROXY /home/REDACTED/node_modules/.bin/node GOSUMDB GOWORK 64/bin/go node /hom�� --write scripts/**/*.js ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet .prettierignore --log-level=errorev-parse 64/bin/go ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha */*.ts' '**/*.json' --ignore-path ../../../.prettierignore git ode --show-toplevel go /usr/bin/git git 0/x6�� --show-toplevel git /usr/bin/git son go /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha KalLpCxFj --write /home/REDACTED/.local/bin/node l **/*.json --ignore-path node ortc�� run stmain.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet tierignore GO111MODULE 64/bin/go ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git bin/sh --show-toplevel go /usr/bin/git git rev-�� *.json' '!../../../pkg/workflow/js/**/*.json' --- git k/_temp/uv-python-dir/bash v1.0.0 go /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 0943-43734/test-1029714291 --write /home/REDACTED/work/_temp/uv-python-dir/node l **/*.json --ignore-path node /opt�� k/gh-aw/gh-aw/.github/workflows format:pkg-json 6925945/b441/styles.test tierignore GO111MODULE 64/bin/go 6925945/b441/styles.test(http block)/usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git de_modules/.bin/sh --show-toplevel go /usr/bin/git git rev-�� *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore git ptables --show-toplevel go /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts/usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env '**/*.ts' '**/*.json' --ignore-p-c=4 GO111MODULE x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts/usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE de_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-premote.origin.url GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts/usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env '**/*.ts' '**/*.json' --ignore-pgo1.25.0 GO111MODULE 64/bin/sh GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts/usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 0/x64/bin/sh GOINSECURE GOMOD GOMODCACHE go estl�� '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts/usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts/usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-premote.origin.url GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts/usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE 64/bin/sh GOINSECURE GOMOD GOMODCACHE go env '**/*.ts' '**/*.json' --ignore-path ../../../.pr**/*.json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/actions/workflows/usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c h ../../../.prettierignore GOPROXY modules/@npmcli/run-script/lib/node-gyp-bin/sh GOSUMDB GOWORK 64/bin/go sh(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOWORK 64/bin/go /opt/hostedtoolc-importcfg -V=f�� GOMODCACHE go 64/bin/go -json GO111MODULE 64/bin/go go(http block)/usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE go env -json GO111MODULE n-dir/node GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha y-test.md GO111MODULE At,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE go env */*.ts' '**/*.json' --ignore-path ../../../.prettierignore GO111MODULE bin/node GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ignore-path ../../../.prettierignore node /usr/bin/git --write l /usr/bin/git git rev-�� --show-toplevel /usr/bin/git /usr/bin/git -v go /usr/bin/git git(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha che/go-build/ab/abfc11f840b03ef9GOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath -o js/**/*.json' ---p -trimpath 64/bin/go -p main -lang=go1.25 go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha nore --log-level=error 2>&1 GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-buildtags @/tm�� js/**/*.json' ---errorsas go 64/bin/go -json GO111MODULE 64/bin/go go(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha "prettier" --che!../../../pkg/workflow/js/**/*.json GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go env js/**/*.json' ---errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha re --log-level=e!../../../pkg/workflow/js/**/*.json **/*.cjs 64/bin/go **/*.json --ignore-path ../../../.pretti-bool go env js/**/*.json' ---errorsas GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0/usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha che/go-build/32/--ignore-path GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-trimpath -o js/**/*.json' ---p -trimpath 64/bin/go -p github.com/githu-C -lang=go1.25 go(http block)https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha y-test.md GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ut3131847268/001 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile(http block)/usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ath ../../../.pr**/*.json git /usr/bin/git s/test.md config /usr/bin/git git rev-�� re --log-level=error git de --show-toplevel 9934980/b407/imp--norc /opt/hostedtoolc--noprofile infocmp(http block)https://api.github.com/repos/nonexistent/repo/actions/runs/12345/usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go 0/x6�� 4063878472/.github/workflows GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go(http block)https://api.github.com/repos/owner/repo/actions/workflows/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c h ../../../.prettierignore GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go node(http block)/usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c h ../../../.pret.prettierignore GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go node(http block)https://api.github.com/repos/owner/repo/contents/file.md/tmp/go-build2716925945/b402/cli.test /tmp/go-build2716925945/b402/cli.test -test.testlogfile=/tmp/go-build2716925945/b402/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node(http block)https://api.github.com/repos/test-owner/test-repo/actions/secrets/usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh -c npx prettier --check '**/*.cjs' GOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh(http block)If you need me to access, download, or install something from one of these locations, you can either:
Original prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.