diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 86cb698ffbe..af22ed6fcba 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -90,7 +90,7 @@ jobs: with: persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 with: cache: npm cache-dependency-path: pkg/workflow/js/package-lock.json diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 24a193cc30f..0e2f89b7799 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -493,7 +493,7 @@ jobs: with: persist-credentials: false - name: Setup Node.js - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 with: cache: npm cache-dependency-path: docs/package-lock.json diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 964804b1d3f..1db02fce2cb 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -454,7 +454,7 @@ jobs: with: persist-credentials: false - name: Set up Node.js - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 + uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 with: cache: npm cache-dependency-path: pkg/workflow/js/package-lock.json diff --git a/pkg/cli/commands_compile_workflow_test.go b/pkg/cli/commands_compile_workflow_test.go index b3761c20230..2641507f992 100644 --- a/pkg/cli/commands_compile_workflow_test.go +++ b/pkg/cli/commands_compile_workflow_test.go @@ -28,6 +28,8 @@ on: branches: [main] permissions: contents: read + issues: read + pull-requests: read --- # Test Workflow @@ -58,6 +60,8 @@ on: - cron: "0 9 * * 1" permissions: contents: write + issues: read + pull-requests: read --- # Verbose Test Workflow @@ -88,6 +92,8 @@ on: branches: [main] permissions: contents: read + issues: read + pull-requests: read --- # Engine Override Test @@ -421,6 +427,8 @@ on: branches: [main] permissions: contents: read + issues: read + pull-requests: read --- # Test Workflow @@ -460,6 +468,8 @@ on: branches: [main] permissions: contents: read + issues: read + pull-requests: read --- # Test Workflow diff --git a/pkg/cli/commands_test.go b/pkg/cli/commands_test.go index 168d060babf..ec23f53e947 100644 --- a/pkg/cli/commands_test.go +++ b/pkg/cli/commands_test.go @@ -143,6 +143,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read --- # Test Workflow for No Emit diff --git a/pkg/cli/compile_dependabot_test.go b/pkg/cli/compile_dependabot_test.go index ed32e3c72e8..015216b2093 100644 --- a/pkg/cli/compile_dependabot_test.go +++ b/pkg/cli/compile_dependabot_test.go @@ -37,6 +37,8 @@ func TestCompileDependabotIntegration(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read steps: - run: npx @playwright/mcp@latest --help --- @@ -159,6 +161,8 @@ func TestCompileDependabotNoDependencies(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read --- # Test Workflow @@ -239,6 +243,8 @@ func TestCompileDependabotPreserveExisting(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read steps: - run: npx @playwright/mcp@latest --help --- @@ -348,6 +354,8 @@ func TestCompileDependabotMergeExistingNpm(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read steps: - run: npx @playwright/mcp@latest --help --- diff --git a/pkg/cli/compile_instructions_test.go b/pkg/cli/compile_instructions_test.go index 7afa7649336..e313afb121c 100644 --- a/pkg/cli/compile_instructions_test.go +++ b/pkg/cli/compile_instructions_test.go @@ -51,6 +51,8 @@ func TestCompileDoesNotWriteInstructions(t *testing.T) { on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -153,6 +155,8 @@ func TestCompileDoesNotWriteInstructionsWhenCompilingAll(t *testing.T) { on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: claude --- diff --git a/pkg/workflow/action_sha_validation_test.go b/pkg/workflow/action_sha_validation_test.go index 094537217ae..be04a10af80 100644 --- a/pkg/workflow/action_sha_validation_test.go +++ b/pkg/workflow/action_sha_validation_test.go @@ -19,7 +19,8 @@ on: push engine: copilot permissions: contents: read ---- + issues: read + pull-requests: read # Test Workflow This is a test workflow to verify SHA pinning. @@ -84,6 +85,7 @@ engine: copilot permissions: contents: read issues: write + pull-requests: read safe-outputs: create-issue: --- @@ -143,7 +145,8 @@ on: push engine: copilot permissions: contents: read ---- + issues: read + pull-requests: read # Simple Test Just a simple test workflow. diff --git a/pkg/workflow/agentic_output_test.go b/pkg/workflow/agentic_output_test.go index 70a39db3c40..8ecaf0b5e46 100644 --- a/pkg/workflow/agentic_output_test.go +++ b/pkg/workflow/agentic_output_test.go @@ -24,6 +24,7 @@ on: push permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues] @@ -123,6 +124,7 @@ on: push permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues] @@ -245,6 +247,8 @@ func TestEngineOutputCleanupExcludesTmpFiles(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read tools: github: allowed: [list_issues] diff --git a/pkg/workflow/allowed_domains_sanitization_test.go b/pkg/workflow/allowed_domains_sanitization_test.go index dbc43add196..1c84b2bb79c 100644 --- a/pkg/workflow/allowed_domains_sanitization_test.go +++ b/pkg/workflow/allowed_domains_sanitization_test.go @@ -22,6 +22,8 @@ func TestAllowedDomainsFromNetworkConfig(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot network: allowed: @@ -52,6 +54,8 @@ Test workflow with network permissions. on: push permissions: contents: read + issues: read + pull-requests: read engine: claude network: allowed: @@ -78,6 +82,8 @@ Test workflow with network permissions. on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot network: defaults safe-outputs: @@ -104,6 +110,8 @@ Test workflow with defaults network. on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot safe-outputs: create-issue: @@ -128,6 +136,8 @@ Test workflow without network config. on: push permissions: contents: read + issues: read + pull-requests: read engine: claude network: allowed: @@ -234,6 +244,8 @@ func TestManualAllowedDomainsHasPriority(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot network: allowed: @@ -263,6 +275,8 @@ Test that manual allowed-domains takes precedence. on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot network: allowed: diff --git a/pkg/workflow/aw_info_steps_test.go b/pkg/workflow/aw_info_steps_test.go index 5f44d04de10..e934d87b6db 100644 --- a/pkg/workflow/aw_info_steps_test.go +++ b/pkg/workflow/aw_info_steps_test.go @@ -20,6 +20,8 @@ func TestAwInfoStepsFirewall(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot network: firewall: true @@ -38,6 +40,8 @@ This workflow tests that firewall type is set to squid when enabled. on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot network: firewall: false @@ -56,6 +60,8 @@ This workflow tests that firewall type is empty when disabled. on: push permissions: contents: read + issues: read + pull-requests: read engine: claude --- diff --git a/pkg/workflow/aw_info_tmp_test.go b/pkg/workflow/aw_info_tmp_test.go index 01d066e0bdd..565cbca20c2 100644 --- a/pkg/workflow/aw_info_tmp_test.go +++ b/pkg/workflow/aw_info_tmp_test.go @@ -21,6 +21,7 @@ on: push permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues] diff --git a/pkg/workflow/cache_memory_import_test.go b/pkg/workflow/cache_memory_import_test.go index 14b5183190d..b90130ce5ce 100644 --- a/pkg/workflow/cache_memory_import_test.go +++ b/pkg/workflow/cache_memory_import_test.go @@ -41,6 +41,8 @@ name: Test Import Only on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: claude imports: - shared/cache-config.md diff --git a/pkg/workflow/cache_memory_integration_test.go b/pkg/workflow/cache_memory_integration_test.go index ce6742478aa..22edf58b09c 100644 --- a/pkg/workflow/cache_memory_integration_test.go +++ b/pkg/workflow/cache_memory_integration_test.go @@ -21,6 +21,8 @@ name: Test Cache Memory Single on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: claude tools: cache-memory: true @@ -52,6 +54,8 @@ name: Test Cache Memory Multiple on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: claude tools: cache-memory: @@ -93,6 +97,8 @@ name: Test Cache Memory Multiple No Keys on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: claude tools: cache-memory: diff --git a/pkg/workflow/checkout_optimization_test.go b/pkg/workflow/checkout_optimization_test.go index fd3669c4d18..9fac8fb80ea 100644 --- a/pkg/workflow/checkout_optimization_test.go +++ b/pkg/workflow/checkout_optimization_test.go @@ -22,7 +22,7 @@ on: types: [opened] tools: github: - allowed: [list_issues] + toolsets: [issues] engine: claude ---`, expectedHasCheckout: true, @@ -39,7 +39,7 @@ permissions: pull-requests: read tools: github: - allowed: [list_issues] + toolsets: [issues, pull_requests] engine: claude ---`, expectedHasCheckout: false, @@ -54,9 +54,10 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: - allowed: [list_issues] + toolsets: [repos, issues, pull_requests] engine: claude ---`, expectedHasCheckout: true, @@ -71,9 +72,10 @@ on: permissions: contents: write issues: write + pull-requests: read tools: github: - allowed: [list_issues] + toolsets: [repos, issues, pull_requests] engine: claude ---`, expectedHasCheckout: true, @@ -88,7 +90,7 @@ on: permissions: read-all tools: github: - allowed: [list_issues] + toolsets: [issues] engine: claude ---`, expectedHasCheckout: true, @@ -103,7 +105,7 @@ on: permissions: write-all tools: github: - allowed: [list_issues] + toolsets: [issues] engine: claude ---`, expectedHasCheckout: true, @@ -118,6 +120,7 @@ on: permissions: contents: read issues: write + pull-requests: read steps: - name: Custom checkout uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 @@ -127,7 +130,7 @@ steps: run: echo "custom setup" tools: github: - allowed: [list_issues] + toolsets: [issues] engine: claude ---`, expectedHasCheckout: false, @@ -142,6 +145,7 @@ on: permissions: contents: read issues: write + pull-requests: read steps: - name: Setup Node uses: actions/setup-node@v4 @@ -151,7 +155,7 @@ steps: run: npm install tools: github: - allowed: [list_issues] + toolsets: [issues] engine: claude ---`, expectedHasCheckout: true, @@ -175,7 +179,7 @@ steps: run: npm install tools: github: - allowed: [list_issues] + toolsets: [issues, pull_requests] engine: claude ---`, expectedHasCheckout: false, diff --git a/pkg/workflow/checkout_persist_credentials_test.go b/pkg/workflow/checkout_persist_credentials_test.go index 73bda8b7e51..b2c6a7b5b43 100644 --- a/pkg/workflow/checkout_persist_credentials_test.go +++ b/pkg/workflow/checkout_persist_credentials_test.go @@ -22,6 +22,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues] @@ -38,6 +39,8 @@ on: permissions: contents: read actions: read + issues: read + pull-requests: read safe-outputs: create-issue: assignees: [user1] @@ -54,6 +57,8 @@ on: permissions: contents: read actions: read + issues: read + pull-requests: read safe-outputs: create-pull-request: engine: claude @@ -69,6 +74,8 @@ on: permissions: contents: read actions: read + issues: read + pull-requests: read safe-outputs: push-to-pull-request-branch: engine: claude @@ -83,6 +90,8 @@ on: permissions: contents: read actions: read + issues: read + pull-requests: read safe-outputs: upload-assets: engine: claude @@ -98,6 +107,8 @@ on: permissions: contents: read actions: read + issues: read + pull-requests: read safe-outputs: create-agent-task: engine: claude diff --git a/pkg/workflow/claude_settings_tmp_test.go b/pkg/workflow/claude_settings_tmp_test.go index cbc19dfe74a..533dac17ca5 100644 --- a/pkg/workflow/claude_settings_tmp_test.go +++ b/pkg/workflow/claude_settings_tmp_test.go @@ -21,6 +21,7 @@ on: push permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues] diff --git a/pkg/workflow/compile_test.go b/pkg/workflow/compile_test.go index 9fe3cac74b8..d45710f73a7 100644 --- a/pkg/workflow/compile_test.go +++ b/pkg/workflow/compile_test.go @@ -21,6 +21,7 @@ on: push permissions: contents: read issues: write + pull-requests: read engine: claude safe-outputs: create-issue: @@ -88,6 +89,7 @@ on: push permissions: contents: read issues: write + pull-requests: read engine: claude --- @@ -214,6 +216,7 @@ on: push permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues] @@ -691,6 +694,7 @@ on: push permissions: contents: read pull-requests: write + issues: read engine: claude safe-outputs: create-pull-request: @@ -758,6 +762,7 @@ on: push permissions: contents: read pull-requests: write + issues: read tools: github: allowed: [list_issues] @@ -871,6 +876,7 @@ on: push permissions: contents: read pull-requests: write + issues: read tools: github: allowed: [list_issues] @@ -946,6 +952,7 @@ on: push permissions: contents: read pull-requests: write + issues: read tools: github: allowed: [list_issues] @@ -1196,6 +1203,7 @@ on: permissions: contents: read issues: write + pull-requests: read engine: claude safe-outputs: add-labels: @@ -1281,6 +1289,7 @@ on: permissions: contents: read issues: write + pull-requests: read engine: claude safe-outputs: add-labels: @@ -1685,6 +1694,7 @@ on: permissions: contents: read issues: write + pull-requests: read engine: claude safe-outputs: add-labels: @@ -1730,6 +1740,7 @@ on: permissions: contents: read issues: write + pull-requests: read engine: claude safe-outputs: add-labels: {} @@ -1774,6 +1785,7 @@ on: push permissions: contents: read pull-requests: write + issues: read engine: claude safe-outputs: create-pull-request: @@ -1819,6 +1831,7 @@ on: push permissions: contents: read pull-requests: write + issues: read engine: claude safe-outputs: create-pull-request: diff --git a/pkg/workflow/compiler_expression_size_test.go b/pkg/workflow/compiler_expression_size_test.go index c7d929819b3..9113b38fb31 100644 --- a/pkg/workflow/compiler_expression_size_test.go +++ b/pkg/workflow/compiler_expression_size_test.go @@ -25,6 +25,7 @@ timeout_minutes: 10 permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues, get_issue] @@ -64,6 +65,7 @@ timeout_minutes: 10 permissions: contents: read pull-requests: write + issues: read tools: github: allowed: [list_issues] diff --git a/pkg/workflow/compiler_file_size_test.go b/pkg/workflow/compiler_file_size_test.go index 6eaa2db03ea..fa970d282e5 100644 --- a/pkg/workflow/compiler_file_size_test.go +++ b/pkg/workflow/compiler_file_size_test.go @@ -25,6 +25,7 @@ timeout_minutes: 10 permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues, create_issue] @@ -65,6 +66,7 @@ timeout_minutes: 10 permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues, create_issue] diff --git a/pkg/workflow/compiler_template_validation_test.go b/pkg/workflow/compiler_template_validation_test.go index e06565a254c..7f57653891b 100644 --- a/pkg/workflow/compiler_template_validation_test.go +++ b/pkg/workflow/compiler_template_validation_test.go @@ -23,7 +23,6 @@ func TestCompilerRejectsIncludesInTemplateRegions(t *testing.T) { on: issues permissions: issues: write ---- # Valid Workflow @@ -40,7 +39,6 @@ This is valid. on: issues permissions: issues: write ---- # Invalid Workflow @@ -57,7 +55,6 @@ This should fail. on: pull_request permissions: pull-requests: write ---- # Invalid Workflow with Import @@ -73,7 +70,6 @@ permissions: on: issues permissions: issues: write ---- # Valid Complex Workflow diff --git a/pkg/workflow/compiler_test.go b/pkg/workflow/compiler_test.go index 801d517b7db..21c6da71d7b 100644 --- a/pkg/workflow/compiler_test.go +++ b/pkg/workflow/compiler_test.go @@ -25,6 +25,7 @@ timeout_minutes: 10 permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues, create_issue] @@ -173,7 +174,9 @@ on: issues: types: [opened] permissions: + contents: read issues: write + pull-requests: read tools: github: allowed: [add_issue_comment] @@ -195,7 +198,9 @@ on: issues: types: [opened] permissions: + contents: read issues: write + pull-requests: read tools: github: allowed: [add_issue_comment] @@ -1570,6 +1575,8 @@ func TestWorkflowNameWithColon(t *testing.T) { timeout_minutes: 10 permissions: contents: read + issues: read + pull-requests: read tools: github: allowed: [list_issues] @@ -1725,6 +1732,8 @@ timeout_minutes: 15 permissions: contents: read models: read + issues: read + pull-requests: read mcp-servers: notionApi: @@ -2538,6 +2547,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [get_issue] @@ -2922,6 +2932,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [get_issue] @@ -2987,6 +2998,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -3006,6 +3018,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -3024,6 +3037,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -3044,6 +3058,7 @@ if: github.actor != 'dependabot[bot]' permissions: contents: read issues: write + pull-requests: read tools: github: @@ -3065,6 +3080,7 @@ if: github.actor != 'dependabot[bot]' permissions: contents: read issues: write + pull-requests: read tools: github: @@ -3083,6 +3099,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -3171,6 +3188,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -3191,6 +3209,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -3210,6 +3229,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -3232,6 +3252,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -3352,6 +3373,7 @@ on: push permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues @@ -3373,6 +3395,7 @@ on: push permissions: contents: read issues: write + pull-requests: read invalid: yaml: syntax more: bad engine: claude @@ -3411,6 +3434,7 @@ on: push permissions: contents: read issues: write + pull-requests: read tools: github: allowed: ["list_issues] @@ -3431,6 +3455,8 @@ Invalid YAML with unclosed quote.`, on: push permissions: contents: read + issues: read + pull-requests: read permissions: issues: write engine: claude @@ -3451,6 +3477,7 @@ on: push permissions: contents: read issues: yes_please + pull-requests: read engine: claude --- @@ -3513,6 +3540,8 @@ on: push timeout_minutes: 05.5 permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -3535,6 +3564,8 @@ tools: claude: [ permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -3755,6 +3786,8 @@ name: Test Cache Workflow on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: claude cache: key: node-modules-${{ hashFiles('package-lock.json') }} @@ -3786,6 +3819,8 @@ name: Test Multi Cache Workflow on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: claude cache: - key: node-modules-${{ hashFiles('package-lock.json') }} @@ -3829,6 +3864,8 @@ name: Test Full Cache Workflow on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: claude cache: key: full-cache-${{ github.sha }} @@ -3921,6 +3958,7 @@ on: push permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues] @@ -4014,6 +4052,7 @@ on: issues permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues] @@ -4201,6 +4240,7 @@ on: permissions: contents: write issues: write + pull-requests: read tools: github: allowed: [list_issues, create_issue] @@ -4371,6 +4411,8 @@ on: push permissions: contents: read %s + issues: read + pull-requests: read engine: claude --- @@ -4733,6 +4775,8 @@ on: push permissions: contents: read %s + issues: read + pull-requests: read engine: claude --- @@ -4897,6 +4941,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -4922,6 +4967,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -4948,6 +4994,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -4972,6 +5019,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -4996,6 +5044,7 @@ if: github.actor != 'dependabot[bot]' permissions: contents: read issues: write + pull-requests: read tools: github: @@ -5018,6 +5067,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -5040,6 +5090,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -5062,6 +5113,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -5083,6 +5135,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -5171,6 +5224,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -5197,6 +5251,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -5217,6 +5272,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -5236,6 +5292,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -5446,6 +5503,8 @@ on: branches: [main] permissions: contents: read + issues: read + pull-requests: read engine: claude tools: github: @@ -5466,6 +5525,8 @@ on: branches: [main] permissions: contents: read + issues: read + pull-requests: read engine: claude tools: github: @@ -5482,6 +5543,8 @@ on: branches: [main] permissions: contents: read + issues: read + pull-requests: read engine: claude tools: github: @@ -5610,6 +5673,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [get_issue] @@ -5627,6 +5691,8 @@ on: stop-after: +1h permissions: contents: read + issues: read + pull-requests: read tools: github: allowed: [list_commits] @@ -5645,6 +5711,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [get_issue] @@ -5742,6 +5809,8 @@ func TestPostStepsIndentationFix(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read tools: github: allowed: [list_issues] @@ -5852,6 +5921,8 @@ func TestPromptUploadArtifact(t *testing.T) { on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: copilot --- diff --git a/pkg/workflow/copilot_engine_test.go b/pkg/workflow/copilot_engine_test.go index b53bb41646c..5a420d648a9 100644 --- a/pkg/workflow/copilot_engine_test.go +++ b/pkg/workflow/copilot_engine_test.go @@ -865,6 +865,8 @@ func TestCopilotEngineLogParsingUsesCorrectLogFile(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot tools: github: diff --git a/pkg/workflow/create_agent_task_integration_test.go b/pkg/workflow/create_agent_task_integration_test.go index 9dfa807aa7c..107e0116adf 100644 --- a/pkg/workflow/create_agent_task_integration_test.go +++ b/pkg/workflow/create_agent_task_integration_test.go @@ -18,6 +18,8 @@ func TestAgentTaskWorkflowCompilation(t *testing.T) { on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: copilot safe-outputs: create-agent-task: @@ -108,6 +110,8 @@ func TestAgentTaskWorkflowWithTargetRepo(t *testing.T) { on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: copilot safe-outputs: create-agent-task: diff --git a/pkg/workflow/create_issue_assignees_integration_test.go b/pkg/workflow/create_issue_assignees_integration_test.go index bedeaf0a702..0711f0dead6 100644 --- a/pkg/workflow/create_issue_assignees_integration_test.go +++ b/pkg/workflow/create_issue_assignees_integration_test.go @@ -23,6 +23,8 @@ on: types: [opened] permissions: contents: read + issues: read + pull-requests: read engine: claude safe-outputs: create-issue: @@ -146,6 +148,8 @@ on: types: [opened] permissions: contents: read + issues: read + pull-requests: read engine: claude safe-outputs: create-issue: @@ -208,6 +212,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: copilot safe-outputs: create-issue: @@ -271,6 +277,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: copilot safe-outputs: create-issue: diff --git a/pkg/workflow/create_issue_backward_compat_test.go b/pkg/workflow/create_issue_backward_compat_test.go index 6f40626a1ad..dea6f00629c 100644 --- a/pkg/workflow/create_issue_backward_compat_test.go +++ b/pkg/workflow/create_issue_backward_compat_test.go @@ -24,6 +24,8 @@ on: types: [opened] permissions: contents: read + issues: read + pull-requests: read engine: copilot safe-outputs: create-issue: @@ -98,6 +100,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: copilot safe-outputs: create-issue: diff --git a/pkg/workflow/create_issue_subissue_test.go b/pkg/workflow/create_issue_subissue_test.go index 5cb3c4e7af3..02cb18a3330 100644 --- a/pkg/workflow/create_issue_subissue_test.go +++ b/pkg/workflow/create_issue_subissue_test.go @@ -81,6 +81,8 @@ on: types: [opened] permissions: contents: read + issues: read + pull-requests: read engine: claude safe-outputs: create-issue: diff --git a/pkg/workflow/create_pr_review_comment_test.go b/pkg/workflow/create_pr_review_comment_test.go index d9aac5d9681..ded6dea9758 100644 --- a/pkg/workflow/create_pr_review_comment_test.go +++ b/pkg/workflow/create_pr_review_comment_test.go @@ -22,6 +22,7 @@ on: pull_request permissions: contents: read pull-requests: write + issues: read engine: claude safe-outputs: create-pull-request-review-comment: diff --git a/pkg/workflow/create_pull_request_reviewers_integration_test.go b/pkg/workflow/create_pull_request_reviewers_integration_test.go index 16c0172f4fb..2a5ba67aac7 100644 --- a/pkg/workflow/create_pull_request_reviewers_integration_test.go +++ b/pkg/workflow/create_pull_request_reviewers_integration_test.go @@ -21,6 +21,8 @@ on: push permissions: contents: read actions: read + issues: read + pull-requests: read engine: copilot safe-outputs: create-pull-request: @@ -118,6 +120,8 @@ on: push permissions: contents: read actions: read + issues: read + pull-requests: read engine: copilot safe-outputs: create-pull-request: @@ -180,6 +184,8 @@ on: push permissions: contents: read actions: read + issues: read + pull-requests: read engine: copilot safe-outputs: create-pull-request: diff --git a/pkg/workflow/custom_engine_integration_test.go b/pkg/workflow/custom_engine_integration_test.go index 705ea83ef8c..f41f90f19ea 100644 --- a/pkg/workflow/custom_engine_integration_test.go +++ b/pkg/workflow/custom_engine_integration_test.go @@ -30,6 +30,7 @@ on: push permissions: contents: read issues: write + pull-requests: read engine: id: custom steps: diff --git a/pkg/workflow/engine_config_test.go b/pkg/workflow/engine_config_test.go index 221487b131d..98b41f2dd17 100644 --- a/pkg/workflow/engine_config_test.go +++ b/pkg/workflow/engine_config_test.go @@ -316,6 +316,7 @@ on: push permissions: contents: read issues: write + pull-requests: read engine: claude --- @@ -332,6 +333,7 @@ on: push permissions: contents: read issues: write + pull-requests: read engine: id: claude version: beta @@ -351,6 +353,7 @@ on: push permissions: contents: read issues: write + pull-requests: read engine: id: codex model: gpt-4o diff --git a/pkg/workflow/engine_includes_test.go b/pkg/workflow/engine_includes_test.go index f972ac0f373..5720017a0ca 100644 --- a/pkg/workflow/engine_includes_test.go +++ b/pkg/workflow/engine_includes_test.go @@ -408,6 +408,8 @@ on: permissions: contents: read models: read + issues: read + pull-requests: read imports: - shared/actions-ai-inference.md --- diff --git a/pkg/workflow/fetch_integration_test.go b/pkg/workflow/fetch_integration_test.go index cc2b4c636a2..07cf9b04e8f 100644 --- a/pkg/workflow/fetch_integration_test.go +++ b/pkg/workflow/fetch_integration_test.go @@ -18,6 +18,8 @@ func TestWebFetchMCPServerAddition(t *testing.T) { on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: codex tools: web-fetch: @@ -79,6 +81,8 @@ func TestWebFetchNotAddedForClaudeEngine(t *testing.T) { on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: claude tools: web-fetch: @@ -142,6 +146,8 @@ func TestNoWebFetchNoMCPFetchServer(t *testing.T) { on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: codex tools: bash: diff --git a/pkg/workflow/git_config_test.go b/pkg/workflow/git_config_test.go index fa9be09a31c..779f9dbaf6c 100644 --- a/pkg/workflow/git_config_test.go +++ b/pkg/workflow/git_config_test.go @@ -21,6 +21,8 @@ func TestGitConfigurationInMainJob(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot --- diff --git a/pkg/workflow/imports_markdown_test.go b/pkg/workflow/imports_markdown_test.go index 7575bf09b88..8bdcfea4d89 100644 --- a/pkg/workflow/imports_markdown_test.go +++ b/pkg/workflow/imports_markdown_test.go @@ -65,6 +65,8 @@ This is common setup content that should be prepended. on: issues permissions: contents: read + issues: read + pull-requests: read engine: claude imports: - shared/common.md @@ -84,6 +86,8 @@ This is the main workflow content.`, on: issues permissions: contents: read + issues: read + pull-requests: read engine: claude imports: - shared/common.md @@ -188,6 +192,8 @@ This comes from @include directive.` on: issues permissions: contents: read + issues: read + pull-requests: read engine: claude imports: - shared/import.md diff --git a/pkg/workflow/label_filter_test.go b/pkg/workflow/label_filter_test.go index 5a0f413c485..93ec66d61a0 100644 --- a/pkg/workflow/label_filter_test.go +++ b/pkg/workflow/label_filter_test.go @@ -34,6 +34,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -53,6 +54,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -72,6 +74,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -91,6 +94,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -110,6 +114,7 @@ on: permissions: contents: read pull-requests: write + issues: read tools: github: @@ -129,6 +134,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -147,6 +153,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: @@ -218,6 +225,7 @@ on: permissions: contents: read issues: write + pull-requests: read tools: github: diff --git a/pkg/workflow/manifest_test.go b/pkg/workflow/manifest_test.go index 8a1032a7254..d28ef34ae25 100644 --- a/pkg/workflow/manifest_test.go +++ b/pkg/workflow/manifest_test.go @@ -58,6 +58,8 @@ Be helpful and concise.` on: issues permissions: contents: read + issues: read + pull-requests: read engine: claude imports: - shared/tools.md @@ -78,6 +80,8 @@ Handle the issue.`, on: issues permissions: contents: read + issues: read + pull-requests: read engine: claude imports: - shared/tools.md @@ -96,6 +100,8 @@ Handle the issue.`, on: issues permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -114,6 +120,8 @@ Handle the issue.`, on: issues permissions: contents: read + issues: read + pull-requests: read engine: claude --- diff --git a/pkg/workflow/max_turns_test.go b/pkg/workflow/max_turns_test.go index 8ccf567c194..a4dc56a3292 100644 --- a/pkg/workflow/max_turns_test.go +++ b/pkg/workflow/max_turns_test.go @@ -21,6 +21,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: id: claude max-turns: 3 @@ -42,6 +44,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: claude tools: github: @@ -61,6 +65,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: id: claude max-turns: 10 @@ -176,6 +182,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: id: claude max-turns: 5 @@ -191,6 +199,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: id: claude max-turns: "invalid" @@ -206,6 +216,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: id: claude max-turns: 0 @@ -250,6 +262,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: id: custom max-turns: 5 diff --git a/pkg/workflow/max_turns_validation_test.go b/pkg/workflow/max_turns_validation_test.go index a1c940995b3..e75825a2c99 100644 --- a/pkg/workflow/max_turns_validation_test.go +++ b/pkg/workflow/max_turns_validation_test.go @@ -22,6 +22,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: id: codex max-turns: 5 @@ -41,6 +43,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: id: claude max-turns: 5 @@ -59,6 +63,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: codex --- @@ -75,6 +81,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: claude --- diff --git a/pkg/workflow/mcp_config_compilation_test.go b/pkg/workflow/mcp_config_compilation_test.go index 17f9c4c4848..e95caf71d7c 100644 --- a/pkg/workflow/mcp_config_compilation_test.go +++ b/pkg/workflow/mcp_config_compilation_test.go @@ -14,6 +14,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: claude network: defaults mcp-servers: @@ -124,6 +126,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: copilot mcp-servers: test-server: diff --git a/pkg/workflow/patch_generation_test.go b/pkg/workflow/patch_generation_test.go index ea2eb13e52d..ef336f44943 100644 --- a/pkg/workflow/patch_generation_test.go +++ b/pkg/workflow/patch_generation_test.go @@ -20,6 +20,8 @@ func TestPullRequestPatchGeneration(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read engine: claude safe-outputs: create-pull-request: diff --git a/pkg/workflow/permissions_excess_compilation_test.go b/pkg/workflow/permissions_excess_compilation_test.go index 84ae9c572ba..ab6fd9b8c77 100644 --- a/pkg/workflow/permissions_excess_compilation_test.go +++ b/pkg/workflow/permissions_excess_compilation_test.go @@ -25,6 +25,7 @@ permissions: contents: read issues: read actions: read + pull-requests: read engine: copilot tools: github: @@ -48,6 +49,7 @@ permissions: contents: write issues: write actions: read + pull-requests: read engine: copilot tools: github: @@ -65,6 +67,8 @@ tools: on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot tools: github: @@ -86,6 +90,8 @@ network: on: push permissions: contents: write + issues: read + pull-requests: read engine: copilot tools: github: @@ -211,6 +217,7 @@ permissions: contents: write issues: write actions: read + pull-requests: read engine: copilot tools: github: diff --git a/pkg/workflow/permissions_import_test.go b/pkg/workflow/permissions_import_test.go index df633abedf0..7c332594adf 100644 --- a/pkg/workflow/permissions_import_test.go +++ b/pkg/workflow/permissions_import_test.go @@ -102,7 +102,6 @@ func TestPermissionsImportIntegration(t *testing.T) { sharedWorkflowContent := `--- permissions: actions: read ---- # Shared workflow with permissions ` @@ -206,7 +205,8 @@ tools: sharedWorkflowUpgradeContent := `--- permissions: contents: write ---- + issues: read + pull-requests: read # Shared workflow with write permission ` @@ -295,7 +295,7 @@ func TestExtractPermissionsFromContent(t *testing.T) { permissions: contents: read issues: write ---- + pull-requests: read # Content`, expected: `{"contents":"read","issues":"write"}`, wantErr: false, diff --git a/pkg/workflow/pinned_actions_comment_test.go b/pkg/workflow/pinned_actions_comment_test.go index 7b3c06e3732..f4743cd1047 100644 --- a/pkg/workflow/pinned_actions_comment_test.go +++ b/pkg/workflow/pinned_actions_comment_test.go @@ -237,6 +237,8 @@ func TestPinnedActionsCommentInGeneratedYAML(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot --- diff --git a/pkg/workflow/pr_checkout_test.go b/pkg/workflow/pr_checkout_test.go index 1805e4ac158..29b982479e1 100644 --- a/pkg/workflow/pr_checkout_test.go +++ b/pkg/workflow/pr_checkout_test.go @@ -25,6 +25,8 @@ on: types: [created] permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -42,6 +44,8 @@ on: types: [created] permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -61,6 +65,8 @@ on: types: [created] permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -78,6 +84,8 @@ on: name: test-bot permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -95,6 +103,8 @@ on: branches: [main] permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -112,6 +122,8 @@ on: types: [opened] permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -223,6 +235,8 @@ on: types: [created] permissions: contents: read + issues: read + pull-requests: read engine: claude --- diff --git a/pkg/workflow/pr_ready_for_review_checkout_test.go b/pkg/workflow/pr_ready_for_review_checkout_test.go index 2ce4900cb57..15008ba8cd3 100644 --- a/pkg/workflow/pr_ready_for_review_checkout_test.go +++ b/pkg/workflow/pr_ready_for_review_checkout_test.go @@ -22,6 +22,8 @@ on: types: [ready_for_review] permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -38,6 +40,8 @@ on: types: [opened] permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -54,6 +58,8 @@ on: branches: [main] permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -150,6 +156,8 @@ on: types: [ready_for_review, opened] permissions: contents: read + issues: read + pull-requests: read engine: claude --- diff --git a/pkg/workflow/reaction_none_test.go b/pkg/workflow/reaction_none_test.go index e63b0d4044b..10efde0a5fb 100644 --- a/pkg/workflow/reaction_none_test.go +++ b/pkg/workflow/reaction_none_test.go @@ -25,6 +25,8 @@ on: reaction: none permissions: contents: read + issues: read + pull-requests: read engine: copilot safe-outputs: add-comment: @@ -108,6 +110,8 @@ on: name: test-bot permissions: contents: read + issues: read + pull-requests: read engine: copilot safe-outputs: add-comment: @@ -193,6 +197,8 @@ on: reaction: rocket permissions: contents: read + issues: read + pull-requests: read engine: copilot safe-outputs: add-comment: diff --git a/pkg/workflow/reaction_outputs_test.go b/pkg/workflow/reaction_outputs_test.go index 307b9602421..bb61701f385 100644 --- a/pkg/workflow/reaction_outputs_test.go +++ b/pkg/workflow/reaction_outputs_test.go @@ -111,7 +111,6 @@ permissions: contents: read issues: write pull-requests: write ---- # Test Workflow diff --git a/pkg/workflow/redact_secrets_test.go b/pkg/workflow/redact_secrets_test.go index 54f43cd27c8..cc58d445194 100644 --- a/pkg/workflow/redact_secrets_test.go +++ b/pkg/workflow/redact_secrets_test.go @@ -90,6 +90,8 @@ func TestSecretRedactionStepGeneration(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot --- diff --git a/pkg/workflow/repository_features_validation_integration_test.go b/pkg/workflow/repository_features_validation_integration_test.go index 24d169f2405..3f9233761cf 100644 --- a/pkg/workflow/repository_features_validation_integration_test.go +++ b/pkg/workflow/repository_features_validation_integration_test.go @@ -132,6 +132,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read safe-outputs: create-discussion: category: "General" diff --git a/pkg/workflow/runtime_integration_test.go b/pkg/workflow/runtime_integration_test.go index 55a94eb5a83..b162ae12504 100644 --- a/pkg/workflow/runtime_integration_test.go +++ b/pkg/workflow/runtime_integration_test.go @@ -20,6 +20,8 @@ func TestCompileWorkflowWithRuntimes(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot runtimes: node: @@ -109,6 +111,8 @@ runtimes: on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot imports: - shared/shared-runtimes.md @@ -195,6 +199,8 @@ func TestCompileWorkflowWithRuntimesAppliedToSteps(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot steps: - name: Install dependencies @@ -251,6 +257,8 @@ func TestCompileWorkflowWithCustomActionRepo(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot steps: - name: Install dependencies diff --git a/pkg/workflow/search_integration_test.go b/pkg/workflow/search_integration_test.go index 12e2539379a..bbc9363abab 100644 --- a/pkg/workflow/search_integration_test.go +++ b/pkg/workflow/search_integration_test.go @@ -20,6 +20,8 @@ func TestWebSearchValidationForCopilot(t *testing.T) { on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: copilot tools: web-search: @@ -86,6 +88,8 @@ func TestWebSearchValidationForClaude(t *testing.T) { on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: claude tools: web-search: @@ -139,6 +143,8 @@ func TestWebSearchValidationForCodex(t *testing.T) { on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: codex tools: web-search: @@ -181,6 +187,8 @@ func TestNoWebSearchNoValidation(t *testing.T) { on: workflow_dispatch permissions: contents: read + issues: read + pull-requests: read engine: copilot tools: github: diff --git a/pkg/workflow/source_field_test.go b/pkg/workflow/source_field_test.go index ad17432c3d2..ee1024f3789 100644 --- a/pkg/workflow/source_field_test.go +++ b/pkg/workflow/source_field_test.go @@ -33,6 +33,8 @@ on: branches: [main] permissions: contents: read + issues: read + pull-requests: read engine: claude tools: github: @@ -50,6 +52,8 @@ on: branches: [main] permissions: contents: read + issues: read + pull-requests: read engine: claude tools: github: @@ -66,6 +70,8 @@ on: branches: [main] permissions: contents: read + issues: read + pull-requests: read engine: claude tools: github: @@ -84,6 +90,8 @@ on: branches: [main] permissions: contents: read + issues: read + pull-requests: read engine: claude tools: github: diff --git a/pkg/workflow/step_summary_test.go b/pkg/workflow/step_summary_test.go index 22cdc6351a2..354ca486e74 100644 --- a/pkg/workflow/step_summary_test.go +++ b/pkg/workflow/step_summary_test.go @@ -21,6 +21,7 @@ on: push permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues] @@ -83,6 +84,7 @@ on: push permissions: contents: read issues: write + pull-requests: read tools: github: allowed: [list_issues] diff --git a/pkg/workflow/strict_mode_test.go b/pkg/workflow/strict_mode_test.go index d81ef23ed9f..35f9eaf51ae 100644 --- a/pkg/workflow/strict_mode_test.go +++ b/pkg/workflow/strict_mode_test.go @@ -20,6 +20,8 @@ func TestStrictModeTimeout(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot network: allowed: @@ -35,6 +37,8 @@ network: on: push permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot network: @@ -108,6 +112,8 @@ network: on: push permissions: contents: write + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot --- @@ -203,6 +209,8 @@ network: on: push permissions: contents: write # NOT IN STRICT MODE + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot --- @@ -256,6 +264,8 @@ func TestStrictModeNetwork(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot network: defaults @@ -270,6 +280,8 @@ network: defaults on: push permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot network: @@ -287,6 +299,8 @@ network: on: push permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot network: @@ -304,6 +318,8 @@ network: on: push permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot network: {} @@ -357,6 +373,8 @@ func TestStrictModeMCPNetwork(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot tools: @@ -413,6 +431,8 @@ func TestStrictModeBashTools(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot tools: @@ -431,6 +451,8 @@ network: on: push permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot tools: @@ -449,6 +471,8 @@ network: on: push permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot tools: @@ -467,6 +491,8 @@ network: on: push permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot tools: @@ -486,6 +512,8 @@ network: on: push permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot tools: @@ -505,6 +533,8 @@ network: on: push permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot tools: @@ -524,6 +554,8 @@ network: on: push permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot tools: @@ -580,6 +612,7 @@ on: push permissions: contents: write issues: write + pull-requests: read engine: copilot network: allowed: @@ -622,6 +655,8 @@ on: push strict: true permissions: contents: read + issues: read + pull-requests: read engine: copilot network: allowed: @@ -638,6 +673,8 @@ on: push strict: false permissions: contents: write + issues: read + pull-requests: read engine: copilot --- @@ -651,6 +688,8 @@ on: push strict: true permissions: contents: read + issues: read + pull-requests: read timeout_minutes: 10 engine: copilot network: @@ -667,6 +706,8 @@ network: on: push permissions: contents: write + issues: read + pull-requests: read engine: copilot --- @@ -712,6 +753,8 @@ on: push strict: false permissions: contents: write + issues: read + pull-requests: read engine: copilot --- @@ -754,6 +797,8 @@ on: push strict: true permissions: contents: read + issues: read + pull-requests: read engine: copilot network: allowed: @@ -767,6 +812,8 @@ network: on: push permissions: contents: write + issues: read + pull-requests: read engine: copilot --- @@ -812,6 +859,8 @@ func TestStrictModeAllowsGitHubWorkflowExpression(t *testing.T) { on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot network: allowed: @@ -830,6 +879,8 @@ The workflow name is: ${{ github.workflow }}`, on: push permissions: contents: read + issues: read + pull-requests: read engine: copilot network: allowed: @@ -847,6 +898,8 @@ Using github.workflow in a condition: ${{ github.workflow == 'my-workflow' && gi on: issues permissions: contents: read + issues: read + pull-requests: read engine: copilot network: allowed: diff --git a/pkg/workflow/strict_mode_zizmor_test.go b/pkg/workflow/strict_mode_zizmor_test.go index 0359818db76..998fb7d2717 100644 --- a/pkg/workflow/strict_mode_zizmor_test.go +++ b/pkg/workflow/strict_mode_zizmor_test.go @@ -24,6 +24,8 @@ on: push strict: true permissions: contents: read + issues: read + pull-requests: read engine: copilot network: allowed: diff --git a/pkg/workflow/template_expression_integration_test.go b/pkg/workflow/template_expression_integration_test.go index 00221958599..7af7c559158 100644 --- a/pkg/workflow/template_expression_integration_test.go +++ b/pkg/workflow/template_expression_integration_test.go @@ -27,6 +27,7 @@ on: permissions: contents: read issues: write + pull-requests: read engine: claude --- @@ -129,6 +130,8 @@ func TestTemplateExpressionAlreadyWrapped(t *testing.T) { on: issues permissions: contents: read + issues: read + pull-requests: read engine: claude --- @@ -192,6 +195,8 @@ func TestTemplateWithMixedExpressionsAndLiterals(t *testing.T) { on: issues permissions: contents: read + issues: read + pull-requests: read engine: claude --- diff --git a/pkg/workflow/template_rendering_test.go b/pkg/workflow/template_rendering_test.go index 75a6c21a14f..c580370a8e1 100644 --- a/pkg/workflow/template_rendering_test.go +++ b/pkg/workflow/template_rendering_test.go @@ -20,6 +20,8 @@ func TestTemplateRenderingStep(t *testing.T) { on: issues permissions: contents: read + issues: read + pull-requests: read tools: github: allowed: [list_issues] @@ -125,6 +127,8 @@ func TestTemplateRenderingStepSkipped(t *testing.T) { on: issues permissions: contents: read + issues: read + pull-requests: read tools: edit: web-fetch: @@ -182,6 +186,8 @@ func TestTemplateRenderingStepWithGitHubTool(t *testing.T) { on: issues permissions: contents: read + issues: read + pull-requests: read tools: github: allowed: [list_issues] diff --git a/pkg/workflow/trial_issue_mode_test.go b/pkg/workflow/trial_issue_mode_test.go index 9b3afcef4f8..f5699a23a31 100644 --- a/pkg/workflow/trial_issue_mode_test.go +++ b/pkg/workflow/trial_issue_mode_test.go @@ -194,6 +194,8 @@ on: types: [created, edited] permissions: contents: read + issues: read + pull-requests: read engine: claude --- diff --git a/pkg/workflow/trial_mode_test.go b/pkg/workflow/trial_mode_test.go index f2800b54d0d..ccca74784dc 100644 --- a/pkg/workflow/trial_mode_test.go +++ b/pkg/workflow/trial_mode_test.go @@ -13,6 +13,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: claude safe-outputs: create-pull-request: {} @@ -203,6 +205,8 @@ on: workflow_dispatch: permissions: contents: read + issues: read + pull-requests: read engine: claude ` if tc.safeOutputs != "" { diff --git a/pkg/workflow/update_issue_test.go b/pkg/workflow/update_issue_test.go index 7d4218fec43..45863998051 100644 --- a/pkg/workflow/update_issue_test.go +++ b/pkg/workflow/update_issue_test.go @@ -22,6 +22,7 @@ on: permissions: contents: read issues: write + pull-requests: read engine: claude safe-outputs: update-issue: @@ -92,6 +93,7 @@ on: permissions: contents: read issues: write + pull-requests: read engine: claude safe-outputs: update-issue: @@ -167,6 +169,7 @@ on: permissions: contents: read issues: write + pull-requests: read engine: claude safe-outputs: update-issue: