Add vulnerability-alerts as GITHUB_TOKEN permission scope#27668
Merged
Add vulnerability-alerts as GITHUB_TOKEN permission scope#27668
Conversation
Contributor
|
❌ Smoke CI was cancelled. Please review the logs for details. |
Move vulnerability-alerts from GitHub App-only to a native GITHUB_TOKEN permission scope. This lets workflows access the Dependabot alerts API directly via GITHUB_TOKEN without requiring a PAT or GitHub App. - Move PermissionVulnerabilityAlerts to Actions scope constants - Add to GetAllPermissionScopes(), remove from GetAllGitHubAppOnlyScopes() - Update frontmatter types, parsing, and serialization - Update JSON schema descriptions - Update test fixtures and recompile lock files
salmanmkc
force-pushed
the
vulnerability-alerts-token-permission
branch
from
5f8f54e to
ddf4802
Compare
Contributor
|
✅ Smoke CI completed successfully! |
This comment has been minimized.
This comment has been minimized.
Contributor
|
✅ Smoke CI completed successfully! |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the workflow permission model so vulnerability-alerts is treated as a native GITHUB_TOKEN scope (instead of GitHub App-only), enabling Dependabot alerts API access without requiring a PAT or GitHub App.
Changes:
- Reclassifies
vulnerability-alertsas a GitHub Actions permission scope across parsing, rendering/filtering, validation, and toolset-required permissions. - Updates tests, docs, and JSON schema descriptions to reflect the new scope behavior.
- Regenerates numerous
.lock.ymlworkflows (and adds a new agent markdown file).
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/safe_outputs_app_config.go | Ensures permission-vulnerability-alerts is emitted from workflow permissions when minting app tokens. |
| pkg/workflow/permissions_validator_test.go | Updates required permissions for the dependabot toolset to include vulnerability-alerts. |
| pkg/workflow/permissions_operations_test.go | Updates merge/filter expectations to preserve vulnerability-alerts at job-level. |
| pkg/workflow/permissions_operations.go | Adjusts docs/comment around filtering app-only scopes (now excluding vulnerability-alerts). |
| pkg/workflow/permissions.go | Reclassifies vulnerability-alerts as a GITHUB_TOKEN scope; updates scope lists. |
| pkg/workflow/github_toolsets.go | Updates toolset exclusion rationale now that dependabot can use GITHUB_TOKEN scopes. |
| pkg/workflow/github_mcp_app_token_test.go | Updates assertions to expect vulnerability-alerts in job-level permissions and app token inputs. |
| pkg/workflow/github_app_permissions_validation_test.go | Updates validation expectations: vulnerability-alerts no longer requires a GitHub App. |
| pkg/workflow/frontmatter_types.go | Moves vulnerability-alerts into the GitHub Actions permissions config struct. |
| pkg/workflow/frontmatter_serialization.go | Serializes vulnerability-alerts under Actions permissions rather than app-only. |
| pkg/workflow/frontmatter_parsing.go | Parses vulnerability-alerts as a native workflow permissions key. |
| pkg/workflow/dangerous_permissions_validation_test.go | Updates write-all shorthand write-permission count to include the new scope. |
| pkg/workflow/compiler_main_job.go | Updates comment/examples for app-only permissions filtering. |
| pkg/parser/schemas/main_workflow_schema.json | Updates schema descriptions for vulnerability-alerts in workflow and GitHub App contexts. |
| pkg/cli/workflows/test-vulnerability-alerts-permission.md | Updates canonical workflow doc to expect job-level vulnerability-alerts presence. |
| pkg/cli/compile_permissions_integration_test.go | Updates integration assertions to require job-level vulnerability-alerts presence. |
| docs/src/content/docs/reference/permissions.md | Removes vulnerability-alerts from the “requires additional authentication” list. |
| docs/src/content/docs/reference/github-tools.md | Updates dependabot toolset docs to describe GITHUB_TOKEN permissions requirements. |
| .github/workflows/workflow-generator.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/unbloat-docs.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/tidy.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/test-quality-sentinel.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-update-cross-repo-pr.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-test-tools.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-temporary-id.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-project.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-opencode.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-multi-pr.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-gemini.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-crush.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-create-cross-repo-pr.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-copilot-arm.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-codex.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-claude.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-ci.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-call-workflow.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-agent-scoped-approved.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-agent-public-none.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-agent-public-approved.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-agent-all-none.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/smoke-agent-all-merged.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/security-review.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/scout.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/refiner.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/q.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/pr-nitpick-reviewer.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/poem-bot.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/plan.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/pdf-summary.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/mergefest.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/grumpy-reviewer.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/firewall-escape.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/design-decision-gate.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/craft.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/cloclo.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/changeset.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/brave.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/auto-triage-issues.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/archie.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/approach-validator.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/ai-moderator.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/workflows/ace-editor.lock.yml | Lockfile regen: adds GH_AW_ALLOWED_DOMAINS env to a github-script step. |
| .github/agents/my-agent-1.agent.md | Adds a new Codespaces/gh/Copilot setup agent document. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 18/18 changed files
- Comments generated: 3
Collaborator
|
@copilot review all comments |
This comment has been minimized.
This comment has been minimized.
Collaborator
|
@mnkiefer we can upgrade dependabot |
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/aea5e3a2-0fee-432c-963f-5547e49a119f Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Move PermissionOrganizationProj below the GITHUB_TOKEN block with a comment explaining it is declared here for grouping but treated as App-only at runtime. Rename TestCompileVulnerabilityAlertsPermissionFiltered to TestCompileVulnerabilityAlertsPermissionIncluded to match the updated test semantics (inclusion, not filtering).
Contributor
|
✅ Smoke CI completed successfully! |
Contributor
|
🤖 Smoke CI run: https://github.com/github/gh-aw/actions/runs/24746534264 |
Copilot stopped work on behalf of
pelikhan due to an error
April 21, 2026 21:12
Contributor
|
Hey The PR looks well-structured: the changes are tightly focused, documentation is updated in sync with the code, and the test suite is comprehensively updated across 7 test files. This looks ready for maintainer review. 🎉
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Moves
vulnerability-alertsfrom a GitHub App-only permission to a native GITHUB_TOKEN workflow permission scope, allowing workflows to access the Dependabot alerts API without requiring a PAT or GitHub App.