docs(site): fix permissions.write — executor defaults to System.AccessToken#890
Merged
jamesadevine merged 1 commit intoJun 7, 2026
Merged
Conversation
…sToken
- network.mdx: remove stale "System.AccessToken is never used for
executor operations" claim; update Security Model to show
permissions.write is optional (override); remove incorrect
Compile-Time Validation section; add a fourth example for the
default no-SC case
- service-connections.mdx: change "Write (required for safe outputs)"
table row to "optional override"; drop "minimum required connection"
framing; replace incorrect compile-time-failure callout with an
accurate Default executor token note; fix permission combinations
table (Only read / Neither rows now correctly show writes as ✅)
- template-markers.mdx: rewrite {{ executor_ado_env }} — env block is
always emitted, not only when permissions.write is set
Verified against generate_executor_ado_env() in src/compile/common.rs
(lines 1769-1797 and companion tests at lines 6139-6203).
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jamesadevine
deleted the
docs/fix-permissions-write-optional-634cc572bfd5d7bb
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
permissions.writeis required for safe outputs or that compilation fails without it$(System.AccessToken){{ executor_ado_env }}template-marker description now accurately reflects that theenv:block is always emittedChanges
site/src/content/docs/reference/network.mdx:$(System.AccessToken)as its default write tokenpermissions.writeis now documented as optional override for cross-org / named-identity writessite/src/content/docs/setup/service-connections.mdx:Only readandNeitherrows now correctly show writes as ✅ (with clarifying labels)site/src/content/docs/reference/template-markers.mdx:{{ executor_ado_env }}description: env block is always emitted, not only whenpermissions.writeis setAccuracy checks
src/compile/common.rsgenerate_executor_ado_env()(lines 1769–1797): always pushesSYSTEM_ACCESSTOKEN— confirmed always-emitted behavior"Should always emit env: block (executor needs SYSTEM_ACCESSTOKEN)"— confirmed"Default executor token is $(System.AccessToken)"— confirmed default path"Executor should use SC_WRITE_TOKEN when write SC is configured"— confirmed override pathvalidate_write_permissionsdeleted — confirmed compilation no longer fails withoutpermissions.writeValidation
cd site && npm ci && npm run build— 33 pages built, all internal links validCreated by the docs-writer workflow.