Handle PR #27837 review comments for create-project issues permissions#27868
Handle PR #27837 review comments for create-project issues permissions#27868
Conversation
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0527ad1c-e697-431a-9eb7-f68ee108bcbe Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0527ad1c-e697-431a-9eb7-f68ee108bcbe Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/0527ad1c-e697-431a-9eb7-f68ee108bcbe Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates safe-output permission computation and related tests/docs to ensure GitHub App tokens include issues: read when project operations may resolve issue-backed items (including the create-project path).
Changes:
- Add
issues: readto the computed permissions forsafe-outputs.create-project. - Update unit tests to expect
issues: readfor create-project permissions and to assert minted app-token inputs includepermission-issues: read. - Expand safe-outputs reference docs to mention the
issues: readrequirement for issue-backed project item resolution (including create-project whenitem_urlis used).
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/safe_outputs_permissions.go | Adds issues: read to permissions computed for create-project. |
| pkg/workflow/safe_outputs_permissions_test.go | Updates create-project permission expectations to include issues: read. |
| pkg/workflow/safe_outputs_app_test.go | Adds a regression test asserting the minted GitHub App token includes permission-issues: read for create-project. |
| docs/src/content/docs/reference/safe-outputs.md | Documents the issues: read requirement for issue-backed project item resolution, including create-project with item_url. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 4/4 changed files
- Comments generated: 3
| if safeOutputs.CreateProjects != nil && !isHandlerStaged(safeOutputs.Staged, safeOutputs.CreateProjects.Staged) { | ||
| safeOutputsPermissionsLog.Print("Adding permissions for create-project") | ||
| permissions.Merge(NewPermissionsContentsReadProjectsWrite()) | ||
| permissions.Set(PermissionIssues, PermissionRead) |
There was a problem hiding this comment.
ComputePermissionsForSafeOutputs now unconditionally adds issues: read when create-project is enabled. In actions/setup/js/create_project.cjs, issues access is only needed when item_url is provided (to resolve the issue node ID and add it to the project), so this expands the minted GitHub App token permissions even for create-project usages that never set item_url. Consider making this conditional (e.g., via an explicit config flag that enables item_url support) or updating the documentation to clarify that enabling create-project will always mint a token with issues: read due to the optional item_url feature.
| // TestSafeOutputsAppTokenCreateProjectWithItemURLIssuesReadPermission tests that issues read permission | ||
| // is included in the GitHub App token minting step when create-project is configured with item_url. | ||
| func TestSafeOutputsAppTokenCreateProjectWithItemURLIssuesReadPermission(t *testing.T) { | ||
| compiler := NewCompiler(WithVersion("1.0.0")) | ||
|
|
||
| markdown := `--- | ||
| on: issues | ||
| safe-outputs: | ||
| create-project: | ||
| target-owner: "my-org" | ||
| github-app: | ||
| app-id: ${{ vars.APP_ID }} | ||
| private-key: ${{ secrets.APP_PRIVATE_KEY }} | ||
| --- | ||
|
|
||
| # Test Workflow | ||
|
|
||
| Test workflow with create-project item_url permissions. | ||
| ` |
There was a problem hiding this comment.
This test name/comment says create-project is configured "with item_url", but item_url is not part of the safe-outputs.create-project frontmatter config and the markdown fixture here does not (and cannot) express whether the agent will send an item_url at runtime. As written, the test is asserting that enabling create-project causes the app token minting step to include permission-issues: read unconditionally, so the test should be renamed/reworded to match what it actually validates.
| Manages GitHub Projects boards. Requires a write-capable PAT or GitHub App token ([project token authentication](/gh-aw/patterns/project-ops/#project-token-authentication)); default `GITHUB_TOKEN` lacks Projects v2 access. Update-only by default; set `create_if_missing: true` to create boards (requires appropriate token permissions). | ||
|
|
||
| When using `github-app`, issue-backed project item resolution also requires `issues: read` on the minted token (in addition to `organization-projects: write`). | ||
| When using `github-app`, issue-backed project item resolution also requires `issues: read` on the minted token (in addition to `organization-projects: write`). This applies to `update-project`, and also to `create-project` when `item_url` is used to resolve an issue into a project item. |
There was a problem hiding this comment.
This note about create-project + item_url is placed under the update-project section, but the create-project section above is where users will look for create-project token requirements (especially since item_url is documented there). Consider duplicating/moving this guidance closer to the create-project documentation so the permission requirement isn’t missed.
issues: readtoupdate-projectGitHub App token permissions #27837 review comments and confirm required follow-up scope