Remove features.copilot-requests; gate Copilot token mode on permissions.copilot-requests: write, add migration codemod, and apply migration across repo workflows

[Copilot]

copilot-requests is no longer an opt-in feature flag. This change moves enablement to explicit workflow permissions so Copilot inference via github.token is controlled by permissions.copilot-requests: write.

• Behavior change (source of truth)

  • Replaced feature-flag checks with permission-based checks for Copilot token selection and secret-validation bypass.
  • Copilot/universal engine paths now treat copilot-requests: write as the switch for using ${{ github.token }} and enabling S2STOKENS=true.

• Permission handling

  • Removed default-time injection of copilot-requests: write from features.copilot-requests.
  • Preserved explicit-empty permissions behavior (permissions: {}) without feature-specific exceptions.

• Schema and diagnostics

  • Added copilot-requests to workflow permission schema (allowed values: write | none).
  • Updated unknown-permission-scope help text/suggestions so copilot-requests is recognized in validation errors.

• Codemod migration

  • Added a gh aw fix codemod to migrate legacy features.copilot-requests.
  • The codemod removes features.copilot-requests and, when enabled, adds permissions.copilot-requests: write in safe frontmatter layouts.
  • Included focused tests and codemod registry wiring so migration is automatically available with existing fix flows.

• Repository migration + recompilation

  • Applied codemods to repository workflows (.github/workflows and shared workflow frontmatter where applicable).
  • Recompiled workflows to refresh generated .lock.yml outputs.
  • Added permissions.copilot-requests: write to workflows importing shared security analysis where compile-time permission requirements surfaced.

• Cleanup

  • Removed the CopilotRequestsFeatureFlag constant and updated references/comments/tests that described feature-based activation.

permissions:
  contents: read
  copilot-requests: write

[pelikhan]

@copilot add codemods to convert features.copilot-requests

[Copilot]

@copilot add codemods to convert features.copilot-requests

Implemented in 27b1c82.

Added a new gh aw fix codemod that migrates features.copilot-requests by removing the deprecated feature flag and adding permissions.copilot-requests: write when the legacy flag is enabled. Also registered it in the codemod registry and added focused tests.

[pelikhan]

@copilot update the secret validation logic since copilot_github_token does not need to be validated when using copilot-requests:write

[Copilot]

@copilot update the secret validation logic since copilot_github_token does not need to be validated when using copilot-requests:write

Updated in c93b8c4. Secret requirement discovery now skips COPILOT_GITHUB_TOKEN when workflow frontmatter sets permissions.copilot-requests: write, so bootstrap/validation no longer asks for that token in this mode.

[pelikhan]

@copilot apply codemods to this repo and recompile.

[Copilot]

@copilot apply codemods to this repo and recompile.

Done in e27eefc. I ran gh aw fix --write across the repo workflows (including shared workflows), then recompiled with gh aw compile and committed the updated markdown/lock files.

[pelikhan]

@copilot since this aw has copilot-requests: write, this should have been github.token

[Copilot]

Fixed in ff281a3. Detection execution now inherits workflow permissions, so with copilot-requests: write it renders COPILOT_GITHUB_TOKEN: ${{ github.token }} (including this workflow’s detection step).

[pelikhan]

@copilot make merge-main

[Copilot]

@copilot make merge-main

Done in af3fa09167 (merged origin/main into this branch via make merge-main, resolved conflicts, then rebuilt/recompiled/formatted).

[Copilot]

Pull request overview

Migrates Copilot “token mode” enablement from the legacy features.copilot-requests flag to an explicit workflow permission gate (permissions.copilot-requests: write), updates engines/validation/schema accordingly, and applies the migration across repository workflows (with regenerated .lock.yml outputs).

Changes:

• Replaced feature-flag checks with copilot-requests: write permission checks for selecting ${{ github.token }} and skipping Copilot secret validation.
• Extended workflow permission schema/diagnostics to recognize copilot-requests and added a gh aw fix codemod to migrate frontmatter.
• Updated many repo workflows/shared imports to remove features.copilot-requests and add permissions.copilot-requests: write, then recompiled lockfiles.

Show a summary per file

File	Description
pkg/workflow/universal_llm_consumer_engine.go	Gate universal backend profile selection on copilot-requests: write.
pkg/workflow/tools.go	Remove feature-based permission injection; preserve explicit-empty permissions.
pkg/workflow/threat_detection.go	Propagate permissions/cached permissions into detection-run workflow data; gate detection job copilot permission on write scope.
pkg/workflow/threat_detection_test.go	Update tests to assert permission-driven behavior and token source.
pkg/workflow/pi_engine.go	Gate universal backend profile selection on copilot-requests: write.
pkg/workflow/permissions.go	Update Copilot permission scope docs; keep scope recognized even if excluded from read-all expansion.
pkg/workflow/permissions_operations.go	Add helper hasCopilotRequestsWritePermission.
pkg/workflow/opencode_engine.go	Update docs/comments to permission-based switch.
pkg/workflow/engine_validation.go	Update comments describing secret-validation gating.
pkg/workflow/crush_engine.go	Update docs/comments to permission-based switch.
pkg/workflow/crush_engine_test.go	Update tests to use permissions.copilot-requests: write.
pkg/workflow/copilot_engine_installation.go	Skip Copilot token validation step based on permission gate.
pkg/workflow/copilot_engine_execution.go	Use permission gate to select ${{ github.token }} + set S2STOKENS=true.
pkg/workflow/compiler_permissions_test.go	Update permissions-merging tests to explicit permission map + copilot scope.
pkg/parser/schemas/main_workflow_schema.json	Add permissions.copilot-requests (write/none).
pkg/parser/schema_errors.go	Include copilot-requests in known-scope suggestions/help text.
pkg/constants/spec_test.go	Remove spec expectation for removed feature flag constant.
pkg/constants/README.md	Remove documentation line for removed feature flag constant.
pkg/constants/feature_constants.go	Remove CopilotRequestsFeatureFlag constant.
pkg/cli/workflow_secrets.go	Adjust secret extraction to understand permission-gated Copilot token usage.
pkg/cli/workflow_secrets_test.go	Add test for Copilot engine + permission gate removing token requirement.
pkg/cli/fix_codemods.go	Register new copilot-requests migration codemod.
pkg/cli/fix_codemods_test.go	Assert codemod presence and ordering.
pkg/cli/codemod_copilot_requests_feature.go	New codemod: migrate features.copilot-requests → permissions.copilot-requests: write.
pkg/cli/codemod_copilot_requests_feature_test.go	Tests for copilot-requests migration codemod behavior.
.github/workflows/test-quality-sentinel.md	Remove feature flag; add copilot-requests: write.
.github/workflows/test-quality-sentinel.lock.yml	Regenerated compiled workflow output.
.github/workflows/stale-pr-cleanup.md	Remove feature flag; add copilot-requests: write.
.github/workflows/stale-pr-cleanup.lock.yml	Regenerated compiled workflow output.
.github/workflows/spec-librarian.md	Remove feature flag; add copilot-requests: write.
.github/workflows/spec-extractor.md	Remove feature flag; add copilot-requests: write.
.github/workflows/smoke-update-cross-repo-pr.md	Remove feature flag; add copilot-requests: write.
.github/workflows/smoke-create-cross-repo-pr.md	Remove feature flag; add copilot-requests: write.
.github/workflows/shared/security-analysis-base.md	Replace feature flag with explicit permissions (incl. copilot scope).
.github/workflows/shared/pr-code-review-config.md	Add baseline permissions to shared PR review config.
.github/workflows/shared/go-source-analysis.md	Normalize YAML formatting for imports/tools list.
.github/workflows/shared/genaiscript.md	Reformat steps indentation/structure for clarity/consistency.
.github/workflows/shared/app-config.md	Update GitHub App config key to client-id.
.github/workflows/security-review.md	Add copilot-requests: write.
.github/workflows/refactoring-cadence.md	Remove feature flag; add copilot-requests: write.
.github/workflows/refactoring-cadence.lock.yml	Regenerated compiled workflow output.
.github/workflows/pr-sous-chef.md	Remove feature flag; add copilot-requests: write.
.github/workflows/linter-miner.md	Remove feature flag; add copilot-requests: write.
.github/workflows/hippo-embed.md	Remove feature flag; add copilot-requests: write.
.github/workflows/firewall-escape.md	Remove feature flag; add copilot-requests: write.
.github/workflows/firewall-escape.lock.yml	Regenerated compiled workflow output.
.github/workflows/draft-pr-cleanup.md	Remove feature flag; add copilot-requests: write.
.github/workflows/draft-pr-cleanup.lock.yml	Regenerated compiled workflow output.
.github/workflows/docs-noob-tester.md	Remove feature flag; add copilot-requests: write.
.github/workflows/docs-noob-tester.lock.yml	Regenerated compiled workflow output.
.github/workflows/discussion-task-miner.md	Remove feature flag; add copilot-requests: write.
.github/workflows/discussion-task-miner.lock.yml	Regenerated compiled workflow output.
.github/workflows/dictation-prompt.md	Remove feature flag; add copilot-requests: write.
.github/workflows/dev-hawk.md	Remove feature flag; add copilot-requests: write.
.github/workflows/dev-hawk.lock.yml	Regenerated compiled workflow output.
.github/workflows/delight.md	Remove feature flag; add copilot-requests: write.
.github/workflows/delight.lock.yml	Regenerated compiled workflow output.
.github/workflows/dead-code-remover.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-workflow-updater.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-testify-uber-super-expert.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-syntax-error-quality.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-syntax-error-quality.lock.yml	Regenerated compiled workflow output.
.github/workflows/daily-spdd-spec-planner.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-spdd-spec-planner.lock.yml	Regenerated compiled workflow output.
.github/workflows/daily-semgrep-scan.md	Add copilot-requests: write.
.github/workflows/daily-semgrep-scan.lock.yml	Regenerated compiled workflow output.
.github/workflows/daily-security-red-team.md	Add copilot-requests: write.
.github/workflows/daily-secrets-analysis.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-secrets-analysis.lock.yml	Regenerated compiled workflow output.
.github/workflows/daily-safe-output-integrator.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-repo-chronicle.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-news.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-mcp-concurrency-analysis.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-malicious-code-scan.md	Add copilot-requests: write.
.github/workflows/daily-malicious-code-scan.lock.yml	Regenerated compiled workflow output.
.github/workflows/daily-hippo-learn.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-geo-optimizer.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-geo-optimizer.lock.yml	Regenerated compiled workflow output.
.github/workflows/daily-file-diet.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-experiment-report.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-compiler-quality.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-cli-performance.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-assign-issue-to-user.md	Remove feature flag; add copilot-requests: write.
.github/workflows/daily-assign-issue-to-user.lock.yml	Regenerated compiled workflow output.
.github/workflows/daily-architecture-diagram.md	Remove feature flag; add copilot-requests: write.
.github/workflows/craft.md	Remove feature flag; add copilot-requests: write.
.github/workflows/copilot-pr-prompt-analysis.md	Remove feature flag; add copilot-requests: write.
.github/workflows/copilot-pr-nlp-analysis.md	Remove feature flag; add copilot-requests: write.
.github/workflows/copilot-pr-merged-report.md	Remove feature flag; add copilot-requests: write.
.github/workflows/copilot-pr-merged-report.lock.yml	Regenerated compiled workflow output.
.github/workflows/copilot-cli-deep-research.md	Remove feature flag; add copilot-requests: write.
.github/workflows/copilot-cli-deep-research.lock.yml	Regenerated compiled workflow output.
.github/workflows/code-scanning-fixer.md	Add copilot-requests: write.
.github/workflows/cli-consistency-checker.md	Remove feature flag; add copilot-requests: write.
.github/workflows/cli-consistency-checker.lock.yml	Regenerated compiled workflow output.
.github/workflows/claude-code-user-docs-review.md	Remove feature flag; add copilot-requests: write.
.github/workflows/ci-coach.md	Remove feature flag; add copilot-requests: write.
.github/workflows/breaking-change-checker.md	Remove feature flag; add copilot-requests: write.
.github/workflows/breaking-change-checker.lock.yml	Regenerated compiled workflow output.
.github/workflows/brave.md	Remove feature flag; add copilot-requests: write.
.github/workflows/brave.lock.yml	Regenerated compiled workflow output.
.github/workflows/auto-triage-issues.md	Remove feature flag; add copilot-requests: write.
.github/workflows/auto-triage-issues.lock.yml	Regenerated compiled workflow output.
.github/workflows/artifacts-summary.md	Remove feature flag; add copilot-requests: write.
.github/workflows/artifacts-summary.lock.yml	Regenerated compiled workflow output.
.github/workflows/architecture-guardian.md	Remove feature flag; add copilot-requests: write.
.github/workflows/architecture-guardian.lock.yml	Regenerated compiled workflow output.
.github/workflows/archie.md	Remove feature flag; add copilot-requests: write.
.github/workflows/archie.lock.yml	Regenerated compiled workflow output.
.github/workflows/agent-performance-analyzer.md	Remove feature flag; add copilot-requests: write.
.github/workflows/ab-testing-advisor.md	Remove feature flag; add copilot-requests: write.
.github/workflows/ab-testing-advisor.lock.yml	Regenerated compiled workflow output.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 145/146 changed files
• Comments generated: 2

[pelikhan]

@copilot fix this issue for other engines

[Copilot]

Fixed. The engine check now uses GetEngineOption to test whether an engine's primary secret is COPILOT_GITHUB_TOKEN, so opencode, crush, and pi all correctly bypass the token requirement when permissions.copilot-requests: write is set. Added tests for each of the three engines.

[pelikhan]

@copilot review all comments

[github-actions]

@copilot please refresh the branch and rerun checks after the merge-main sync.

Generated by 👨‍🍳 PR Sous Chef · gpt54 18.5M · ◷

[Copilot]

@copilot review all comments

Reviewed all comments and addressed the remaining issue. Fixed the codemod to handle permissions: {} # comment syntax by stripping inline comments before checking if the value is {}. Also extended the secret validation bypass to work for opencode, crush, and pi engines when copilot-requests: write is set, not just the copilot engine.