Skip to content

Fix agent job permissions in dev.md to use explicit scoping#6356

Merged
pelikhan merged 3 commits intomainfrom
copilot/fix-agent-job-permissions
Dec 13, 2025
Merged

Fix agent job permissions in dev.md to use explicit scoping#6356
pelikhan merged 3 commits intomainfrom
copilot/fix-agent-job-permissions

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Dec 13, 2025
edited
Loading

Zizmor flagged the agent job in dev.md with Medium severity for inheriting permissions: read-all from workflow level instead of declaring explicit job-level permissions.

Changes

  • Replaced workflow-level permissions: read-all with explicit scoping: 
    permissions:
  contents: read
  pull-requests: read

Impact

Agent job now declares minimal required permissions. Other jobs (create_pull_request, conclusion) retain appropriate write permissions via compiler-generated explicit scopes.

Before:

permissions: read-all  # Workflow level

jobs:
  agent:
    permissions: read-all  # Inherited

After:

permissions:
  contents: read
  pull-requests: read

jobs:
  agent:
    permissions:
      contents: read
      pull-requests: read
Original prompt

This section details on the original issue you should resolve

<issue_title>[plan] Fix Medium severity job permissions in dev.md</issue_title>
<issue_description>## Objective

Explicitly scope the agent job permissions in dev.md to follow the principle of least privilege.

Context

Zizmor flagged dev.md (line 219, agent job) with Medium severity for missing explicit job-level permissions. Job-level permissions should be explicitly defined rather than inheriting from workflow level.

Current State

The agent job lacks explicit permissions block, inheriting from workflow level which may grant more access than needed.

Approach

  1. Add explicit permissions block to the agent job in dev.md
  2. Define minimal required permissions: 
    agent:
  permissions:
    contents: read
    pull-requests: read
  3. Verify the job doesn't require additional permissions (issues, discussions, etc.)

Files to Modify

  • .github/workflows/dev.md (agent job section, around line 219)

Testing

  1. After changes, recompile: make recompile
  2. Run zizmor scan: gh aw compile dev --zizmor
  3. Verify zizmor no longer flags the Medium severity issue
  4. Test workflow to ensure agent job functions correctly

Acceptance Criteria

AI generated by Plan Command for discussion #6330

Comments on the Issue (you are @copilot in this section)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 2 commits December 13, 2025 16:48
@mnkiefer
Initial analysis of permissions issue
fe44b9b 
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
@mnkiefer
Fix agent job permissions in dev.md to use explicit scoping
40936da 
Co-authored-by: mnkiefer <8320933+mnkiefer@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix Medium severity job permissions in dev.md Fix agent job permissions in dev.md to use explicit scoping Dec 13, 2025
Copilot AI requested a review from mnkiefer December 13, 2025 17:06
@pelikhan pelikhan marked this pull request as ready for review December 13, 2025 18:08
@pelikhan pelikhan merged commit 12277b9 into main Dec 13, 2025
4 checks passed
@pelikhan pelikhan deleted the copilot/fix-agent-job-permissions branch December 13, 2025 18:12
This was referenced Dec 13, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan pelikhan approved these changes

@mnkiefer mnkiefer Awaiting requested review from mnkiefer

Assignees

@mnkiefer mnkiefer

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Fix Medium severity job permissions in dev.md

3 participants

@pelikhan @mnkiefer