fix: wire GH_AW_COPILOT_SDK_SERVER_ARGS into SDK driver permission config#37240
Merged
Conversation
…outputs permissions Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
fix: parse GH_AW_COPILOT_SDK_SERVER_ARGS in SDK driver to enable safeoutputs permissions
fix: wire GH_AW_COPILOT_SDK_SERVER_ARGS into SDK driver permission config
Jun 6, 2026
Copilot created this pull request from a session on behalf of
pelikhan
June 6, 2026 02:59
View session
pelikhan
approved these changes
Jun 6, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes a permissions wiring gap in the Copilot SDK driver by reading GH_AW_COPILOT_SDK_SERVER_ARGS and converting the sidecar’s --allow-tool / --allow-all-tools flags into the SDK session’s permission configuration, ensuring onPermissionRequest is correctly applied.
Changes:
- Add
parsePermissionConfigFromServerArgs(serverArgsJson)to parse permission-related flags out of the JSON-encoded sidecar args array. - Wire the parsed
permissionConfigintomain()sorunWithCopilotSDK()can install the correctonPermissionRequestpolicy. - Add unit tests covering invalid inputs,
--allow-all-toolsprecedence, and multiple--allow-toolcases includingshell(safeoutputs:*).
Show a summary per file
| File | Description |
|---|---|
| actions/setup/js/copilot_sdk_driver.cjs | Parse GH_AW_COPILOT_SDK_SERVER_ARGS into a permission config and pass it into the SDK session setup. |
| actions/setup/js/copilot_sdk_driver.test.cjs | Add focused unit tests for parsePermissionConfigFromServerArgs to validate parsing and precedence behavior. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 0
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The SDK driver's
main()never readGH_AW_COPILOT_SDK_SERVER_ARGS, soonPermissionRequestwas never set on the SDK session. The Go engine correctly computed--allow-tool shell(safeoutputs:*)and placed it in that env var, the harness correctly passed the env var to the driver subprocess — but the driver discarded it entirely, leaving the SDK to fall back to its own default permission behavior.Changes
copilot_sdk_driver.cjs— addsparsePermissionConfigFromServerArgs(serverArgsJson)which parses the JSON array fromGH_AW_COPILOT_SDK_SERVER_ARGSinto apermissionConfig({ allowAllTools: true }or{ allowedTools: [...] }).main()now calls this and passes the result torunWithCopilotSDK.copilot_sdk_driver.test.cjs— 11 new unit tests forparsePermissionConfigFromServerArgscovering invalid inputs,--allow-all-toolsprecedence, multi-entry--allow-tool, and a realisticshell(safeoutputs:*)scenario.