Skip to content

[WIP] Recompile and fix Agentic workflows permissions #2789

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 30, 2025
Merged

[WIP] Recompile and fix Agentic workflows permissions #2789

merged 7 commits into from
Oct 30, 2025

Conversation

Copy link
Contributor

Copilot AI commented Oct 30, 2025
edited
Loading

Recompile and Fix Agentic Workflows Permissions

Summary

Fix permission issues in agentic workflows that use safe-outputs, then recompile all workflows to generate updated lock files.

Checklist

  • Analyze repository and understand the issue
  • Identify workflows with permission issues
  • Fix schema-consistency-checker.md permissions
  • Recompile all workflows using make recompile
  • Verify all workflows are properly compiled
  • Run tests to ensure no regressions

Issue Found

The schema-consistency-checker.md workflow has:

  1. discussions: write permission in frontmatter (line 9)
  2. read-only: false for GitHub tools (line 16)

Both should be removed when using safe-outputs: create-discussion since the safe-outputs system handles write operations in a separate job with appropriate permissions.

Original prompt

Recompile and fix Agentic workflows permissions

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits October 30, 2025 12:53
@pelikhan
Initial analysis complete
18e2535 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Changes before error encountered
c578ef4 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI requested a review from pelikhan October 30, 2025 13:09
@pelikhan
Merge remote-tracking branch 'origin/main' into copilot/fix-agentic-w…
969b9cd 
…orkflows-permissions
@pelikhan
Update workflow permissions and runtime environments
57ae955 
- Modified permissions across multiple workflows to include 'issues' and 'pull-requests' while removing 'actions' where applicable.
- Changed the runtime environment from 'ubuntu-latest' to 'ubuntu-slim' for improved efficiency in various workflows.
- Ensured consistency in permission settings for workflows related to issue classification, logging, and analysis.
- Enhanced security and functionality by adding necessary permissions for discussions and security events in relevant workflows.
@pelikhan
Update workflow permissions and change runner to ubuntu-slim for impr…
2dfbf03 
…oved efficiency
@pelikhan pelikhan marked this pull request as ready for review October 30, 2025 14:04
Copilot AI review requested due to automatic review settings October 30, 2025 14:04
Copilot AI reviewed Oct 30, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes permission issues in agentic workflows that use safe-outputs and recompiles all workflows to generate updated lock files. The main issue was that workflows using the safe-outputs system were incorrectly including write permissions in their frontmatter, when those permissions should be removed since safe-outputs handles write operations in separate jobs.

  • Corrected permissions in schema-consistency-checker.md by removing discussions: write and read-only: false
  • Updated all workflow permissions to replace actions: read with specific permissions like issues: read and pull-requests: read
  • Recompiled all workflows to reflect the permission changes and infrastructure updates

Reviewed Changes

Copilot reviewed 62 out of 62 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pkg/workflow/schemas/github-workflow.json Formatted enum arrays for better readability
schema-consistency-checker.md Fixed safe-outputs permissions issue by removing write permissions
Various .md workflow files Updated permissions from actions: read to specific read permissions
Various .lock.yml files Recompiled workflows with updated permissions and infrastructure changes
.github/aw/actions-lock.json Added new GitHub Script action version
Comments suppressed due to low confidence (1)

.github/workflows/schema-consistency-checker.md:1

  • The read-only: false configuration was correctly removed as it conflicts with safe-outputs usage. When using safe-outputs: create-discussion, the main job should not have write permissions since safe-outputs handles write operations in a separate job.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pelikhan pelikhan enabled auto-merge (squash) October 30, 2025 14:05
@pelikhan pelikhan disabled auto-merge October 30, 2025 14:07
@pelikhan pelikhan merged commit d2d358e into main Oct 30, 2025
6 of 14 checks passed
@pelikhan pelikhan deleted the copilot/fix-agentic-workflows-permissions branch October 30, 2025 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan