Fix workflow compilation errors by using read-only permissions with safe-outputs

[Copilot]

Four workflows using strict: true mode with write permissions were failing compilation. This PR fixes the compilation errors by changing workflows to use read-only permissions and relying on the safe-outputs system to handle write operations securely.

Changes

Workflow Updates:

• Changed discussions: write to discussions: read in 3 workflows
• Changed contents/issues/pull-requests: write to read in 1 workflow

Affected workflows:

• daily-issues-report.md - Daily repository issues analysis
• daily-performance-summary.md - Daily performance metrics
• example-permissions-warning.md - Permissions example
• org-health-report.md - Organization health reports

Updated permissions syntax:

---
permissions:
  discussions: read  # Read-only for agent job
strict: true
safe-outputs:
  create-discussion:  # Write permissions granted to safe-outputs job
---

Security Model

The workflows now follow the principle of least privilege:

• Agent job: Runs with read-only permissions
• Safe-outputs job: Automatically receives write permissions for safe operations (creating discussions, issues, etc.)

This architecture minimizes the attack surface by granting the main agent job only read permissions, while the safe-outputs consolidation job handles all write operations securely.

Benefits

• ✅ Follows principle of least privilege with minimal permissions for agent jobs
• ✅ Safe-outputs system automatically grants write permissions only where needed
• ✅ Simple solution using standard read permissions without additional code changes
• ✅ All 4 workflows compile successfully with 0 errors

These workflows create GitHub Discussions for automated reporting. The safe-outputs system handles the write operations, allowing the main agent job to run with minimal read-only permissions.

Original prompt

Fix the failing GitHub Actions workflow build

Analyze the workflow logs, identify the root cause of the failure, and implement a fix.

Job ID: 59723562914

Job URL: https://github.com/githubnext/gh-aw/actions/runs/20794253503/job/59723562914

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[pelikhan]

@copilot change discussions: write to discussions: true. Remove feature flag.

[pelikhan]

@copilot use read permissions instead

[Copilot]

Done! Changed all 4 workflows to use read permissions instead. The safe-outputs system will automatically grant write permissions to the consolidation job for creating discussions. This follows the principle of least privilege - the agent job has minimal read-only permissions. (commit ef0cbbf)

[Copilot]

@copilot change discussions: write to discussions: true. Remove feature flag.

Done! Changed discussions: write to discussions: true and removed the dangerous-permissions-write feature flag from all 4 workflows.

I also implemented full support for boolean true as a shorthand for write permissions:

• Schema updated to accept both string values and boolean: true
• Parser converts true to "write" internally
• Validation treats boolean permissions as explicit/safe (no feature flag needed)
• Generated YAML uses standard write strings for GitHub Actions compatibility

All workflows now compile successfully. (commit a2d21fe)

[pelikhan]

@copilot Do not add support for Boolean, specify discussions: read

[Copilot]

@copilot Do not add support for Boolean, specify discussions: read

Done! Reverted all boolean permission support code. The workflows now simply use discussions: read with no additional code changes needed. All 4 workflows compile successfully. (commit 341cfd7)