From f37b3377df6a3a42f3ed8b5d6c9ccce62b9c87e0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 23 Apr 2026 12:36:07 +0000 Subject: [PATCH 1/3] Initial plan From e63478e19d1a5dda5e4284723d87dd8cc98efcb4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 23 Apr 2026 12:49:13 +0000 Subject: [PATCH 2/3] chore: start plan for vulnerability-alerts schema fix Agent-Logs-Url: https://github.com/github/gh-aw/sessions/715ef806-e246-4d70-b135-a9167e447f12 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/cli/spec_test.go | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/pkg/cli/spec_test.go b/pkg/cli/spec_test.go index c6b739b93f..f46eabc88e 100644 --- a/pkg/cli/spec_test.go +++ b/pkg/cli/spec_test.go @@ -1117,11 +1117,11 @@ func TestSpec_PublicAPI_ValidateWorkflowIntent(t *testing.T) { // Spec: "Sets a field in frontmatter YAML" func TestSpec_PublicAPI_UpdateFieldInFrontmatter(t *testing.T) { tests := []struct { - name string - content string - fieldName string - fieldValue string - wantErr bool + name string + content string + fieldName string + fieldValue string + wantErr bool checkContains string }{ { From 2cf24246f1b93f5a01d7b7470223310bbfc4af9e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 23 Apr 2026 12:58:55 +0000 Subject: [PATCH 3/3] fix: allow vulnerability-alerts in patched GitHub Actions schema Agent-Logs-Url: https://github.com/github/gh-aw/sessions/715ef806-e246-4d70-b135-a9167e447f12 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- Makefile | 6 +++--- pkg/cli/spec_test.go | 10 +++++----- pkg/workflow/schema_validation_test.go | 15 +++++++++++++++ pkg/workflow/schemas/github-workflow.json | 4 ++++ 4 files changed, 27 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index d649a01dcc..751c79fd27 100644 --- a/Makefile +++ b/Makefile @@ -472,13 +472,13 @@ download-github-actions-schema: # This must be run after download-github-actions-schema to preserve local additions. .PHONY: patch-github-actions-schema patch-github-actions-schema: - @echo "Patching GitHub Actions schema with copilot-requests permission..." + @echo "Patching GitHub Actions schema with custom permissions..." @tmpfile=$$(mktemp) && \ - jq '.definitions["permissions-event"].properties["copilot-requests"] = {"type": "string", "enum": ["write", "none"]}' \ + jq '.definitions["permissions-event"].properties += {"copilot-requests": {"type": "string", "enum": ["write", "none"]}, "vulnerability-alerts": {"type": "string", "enum": ["read", "none"]}}' \ pkg/workflow/schemas/github-workflow.json > "$$tmpfile" && \ mv "$$tmpfile" pkg/workflow/schemas/github-workflow.json @cd actions/setup/js && npm run format:schema >/dev/null 2>&1 - @echo "✓ Patched GitHub Actions schema with copilot-requests permission" + @echo "✓ Patched GitHub Actions schema with custom permissions" # Run linter (full repository scan) .PHONY: golint diff --git a/pkg/cli/spec_test.go b/pkg/cli/spec_test.go index f46eabc88e..c6b739b93f 100644 --- a/pkg/cli/spec_test.go +++ b/pkg/cli/spec_test.go @@ -1117,11 +1117,11 @@ func TestSpec_PublicAPI_ValidateWorkflowIntent(t *testing.T) { // Spec: "Sets a field in frontmatter YAML" func TestSpec_PublicAPI_UpdateFieldInFrontmatter(t *testing.T) { tests := []struct { - name string - content string - fieldName string - fieldValue string - wantErr bool + name string + content string + fieldName string + fieldValue string + wantErr bool checkContains string }{ { diff --git a/pkg/workflow/schema_validation_test.go b/pkg/workflow/schema_validation_test.go index b6ff913d53..27946f8407 100644 --- a/pkg/workflow/schema_validation_test.go +++ b/pkg/workflow/schema_validation_test.go @@ -210,6 +210,21 @@ jobs: runs-on: ubuntu-latest steps: - run: echo hello +`, + expectError: false, + }, + { + name: "vulnerability-alerts permission in job permissions passes", + yamlContent: ` +name: Test +on: push +jobs: + test: + permissions: + vulnerability-alerts: read + runs-on: ubuntu-latest + steps: + - run: echo hello `, expectError: false, }, diff --git a/pkg/workflow/schemas/github-workflow.json b/pkg/workflow/schemas/github-workflow.json index e3437f83ba..c2f1f43220 100644 --- a/pkg/workflow/schemas/github-workflow.json +++ b/pkg/workflow/schemas/github-workflow.json @@ -281,6 +281,10 @@ "copilot-requests": { "type": "string", "enum": ["write", "none"] + }, + "vulnerability-alerts": { + "type": "string", + "enum": ["read", "none"] } } },