ci(workflows): add explicit roles restriction to screenshot preview workflow

[statik]

Artifacts | Task

What problems was I solving

The screenshot preview workflow's access control was implicit — it relied on gh aw compile defaults rather than explicit configuration. This made it harder to audit security settings by reading the source file alone.

What user-facing changes did I ship

• Workflow source file now explicitly declares who can trigger the screenshot preview workflow (admins, maintainers, and users with write access)
• No behavioral change — the same restrictions that were applied implicitly are now stated explicitly

How I implemented it

Workflow Source Changes

Added roles: [admin, maintainer, write] to the frontmatter at .github/workflows/preview-screenshot-gallery.md line 7, making the access control policy self-documenting:

on:
  workflow_run:
    workflows: ["Website Preview"]
    types: [completed]
    branches: ["**"]
  roles: [admin, maintainer, write]  # NEW: explicit role restriction

Lock File Regeneration

Ran gh aw compile to regenerate .github/workflows/preview-screenshot-gallery.lock.yml. The compiler version bumped from v0.67.1 to v0.67.4, which introduced several mechanical improvements:

• Shell quoting fixes (all ${RUNNER_TEMP} references now properly quoted)
• Version pinning improvements (latest → 1.0.20 for Copilot CLI)
• Added actions: read permission to activation job
• Updated AWF binary from v0.25.13 to v0.25.18

Supporting Changes

• .github/aw/actions-lock.json — Removed stale v0.67.1 setup action entry (now referenced inline)
• .gitignore — Added .humanlayer/tasks/ to ignore cloud-synced artifacts

Deviations from the plan

Implemented as planned

• roles: [admin, maintainer, write] added to frontmatter at exactly the specified location
• Lock file regenerated via gh aw compile
• GH_AW_REQUIRED_ROLES and fork blocking conditions preserved in compiled output

Deviations/surprises

• Compiler version bumped from v0.67.1 to v0.67.4 (plan noted "potential version updates" but this was more extensive than expected)
• New actions: read permission added to activation job by the newer compiler
• gh-aw-manifest header line added to lock file (new format feature)

Additions not in plan

• Shell quoting fixes throughout lock file (security improvement from v0.67.4)
• Version pinning changes (latest → specific versions)
• .gitignore update for .humanlayer/tasks/

Items planned but not implemented

None — all planned changes were implemented.

How to verify it

Verify roles are explicit in source

grep -A1 "roles:" .github/workflows/preview-screenshot-gallery.md
# Should show: roles: [admin, maintainer, write]

Verify compiled output enforces roles

grep -A2 "GH_AW_REQUIRED_ROLES" .github/workflows/preview-screenshot-gallery.lock.yml
# Should show: GH_AW_REQUIRED_ROLES: "admin,maintainer,write"

Verify fork blocking preserved

grep "repository.fork" .github/workflows/preview-screenshot-gallery.lock.yml
# Should show fork validation condition

Description for the changelog

Add explicit roles: [admin, maintainer, write] to screenshot preview workflow frontmatter for self-documenting access control

[Copilot]

Pull request overview

This PR makes the screenshot preview workflow’s access control self-documenting by explicitly declaring the allowed triggering roles in the source frontmatter, and regenerates the compiled lock workflow accordingly.

Changes:

• Add explicit roles: [admin, maintainer, write] to the workflow source frontmatter.
• Regenerate the compiled .lock.yml with a newer gh aw compile version (including quoting/version pinning/mechanical updates).
• Update the agentic-workflows actions lock JSON by removing the old setup action entry.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 10 comments.

File	Description
.github/workflows/preview-screenshot-gallery.md	Adds explicit role restriction in frontmatter to make access policy auditable from source.
.github/workflows/preview-screenshot-gallery.lock.yml	Regenerated compiled workflow reflecting the role gating and updated compiler output.
.github/aw/actions-lock.json	Removes the previous github/gh-aw-actions/setup@v0.67.1 lock entry.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

github/gh-aw-actions/setup is now referenced by a mutable tag (@v0.67.4) instead of a commit SHA. Since this workflow otherwise pins third-party actions to SHAs, this weakens supply-chain integrity and makes audits harder. Pin this action to an immutable commit SHA (and keep the version comment if desired).

[statik]

@copilot apply changes based on this feedback

[Copilot]

Done in 58b1cc8. All 7 uses: github/gh-aw-actions/setup@v0.67.4 references in the lock file are now pinned to the immutable commit SHA 2b3c275b3652caa01c2ebe31cbab50ec2df0f927 (with the tag retained as a comment). The manifest header and actions-lock.json are also updated to record the correct commit SHA.

[Copilot]

github/gh-aw-actions/setup is referenced by tag (@v0.67.4) here rather than a commit SHA, which reduces action immutability compared to the other SHA-pinned actions in this lock file. Prefer pinning to the commit SHA for the setup action as well.

[Copilot]

github/gh-aw-actions/setup is referenced by tag (@v0.67.4) rather than a commit SHA. For consistency with the rest of the lock file and stronger supply-chain guarantees, pin to an immutable commit SHA.

[statik]

@copilot apply changes based on this feedback

[Copilot]

Already addressed in 58b1cc8 — line 861 and all other uses: references are pinned to 2b3c275b3652caa01c2ebe31cbab50ec2df0f927 # v0.67.4.

[Copilot]

This uses: github/gh-aw-actions/setup@v0.67.4 reference is tag-based, unlike the SHA-pinned action references elsewhere in this lock file. Pinning to a commit SHA would prevent unexpected changes if the tag is ever moved.

[statik]

@copilot apply changes based on this feedback

[Copilot]

Already addressed in 58b1cc8 — line 966 and all other uses: references are pinned to 2b3c275b3652caa01c2ebe31cbab50ec2df0f927 # v0.67.4.

[Copilot]

github/gh-aw-actions/setup is invoked via tag (@v0.67.4) instead of a commit SHA. If the intent of the generated lock file is to provide immutable action references, this should be pinned to the commit SHA.

[statik]

@copilot apply changes based on this feedback

[Copilot]

Already addressed in 58b1cc8 — line 1111 and all other uses: references are pinned to 2b3c275b3652caa01c2ebe31cbab50ec2df0f927 # v0.67.4.

[Copilot]

This setup step uses github/gh-aw-actions/setup@v0.67.4 (tag) rather than a commit SHA. Consider pinning to the action’s commit SHA to preserve the immutability guarantees typically expected from a lock file.

[Copilot]

github/gh-aw-actions/setup is referenced via tag here. To avoid supply-chain drift and align with the SHA-pinned style used for other actions in this file, pin this to a specific commit SHA.

[Copilot]

chmod 777 makes /tmp/gh-aw/mcp-logs/playwright world-writable. Even on ephemeral runners, it’s safer to grant only the minimum permissions needed (e.g., use a more restrictive mode, or chmod 1777 if multiple UIDs must write while preventing deletion of others’ files).

Suggested change

	chmod 777 /tmp/gh-aw/mcp-logs/playwright
	chmod 1777 /tmp/gh-aw/mcp-logs/playwright

[Copilot]

Removing the github/gh-aw-actions/setup entry from actions-lock.json means there is no longer a SHA recorded for that action in the repo’s lock data. If preview-screenshot-gallery.lock.yml is intended to be fully immutable, consider locking github/gh-aw-actions/setup@v0.67.4 to its commit SHA here (or ensure it’s pinned elsewhere).

Suggested change

	"sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
	"sha": "ed597411d8f924073f98dfc5c65a23a2325f34cd"
	},
	"github/gh-aw-actions/setup@v0.67.4": {
	"repo": "github/gh-aw-actions/setup",
	"version": "v0.67.4",
	"sha": "<REPLACE_WITH_THE_40_CHARACTER_COMMIT_SHA_FOR_v0.67.4>"

[statik]

@copilot implement this review feedback

[Copilot]

Already addressed in 58b1cc8 — actions-lock.json now has a github/gh-aw-actions/setup@v0.67.4 entry with SHA 2b3c275b3652caa01c2ebe31cbab50ec2df0f927.

[github-actions]

Preview Links

Website	Validation Report
https://posit-dev.github.io/vip/pr-preview-site/pr-160/	https://posit-dev.github.io/vip/pr-preview/pr-160/

[github-actions]

📸 Preview Screenshot Gallery

Captured 8 screenshots from the PR #160 preview deployments. All pages rendered successfully — no failures.

---

🌐 Website Preview

Base URL: https://posit-dev.github.io/vip/pr-preview-site/pr-160/

Home

Getting Started

Shiny App

Tests

Feature Matrix

Report

---

📊 Report Preview

Base URL: https://posit-dev.github.io/vip/pr-preview/pr-160/

Home (Summary)

Details

---

📋 All captured URLs (8 total)

Screenshot	URL
website-home	https://posit-dev.github.io/vip/pr-preview-site/pr-160/
website-getting-started	https://posit-dev.github.io/vip/pr-preview-site/pr-160/getting-started/
website-shiny-app	https://posit-dev.github.io/vip/pr-preview-site/pr-160/shiny-app/
website-tests	https://posit-dev.github.io/vip/pr-preview-site/pr-160/tests/
website-feature-matrix	https://posit-dev.github.io/vip/pr-preview-site/pr-160/feature-matrix/
website-report	https://posit-dev.github.io/vip/pr-preview-site/pr-160/report/
report-home	https://posit-dev.github.io/vip/pr-preview/pr-160/
report-details	https://posit-dev.github.io/vip/pr-preview/pr-160/details.html

❌ Failed pages: none

Generated by Capture preview screenshots for PRs · ● 3.1M · ◷

[statik]

@copilot rebase on main to pick up the dependency updates

[Copilot]

@copilot rebase on main to pick up the dependency updates

Done — rebased on main (675ded2). The branch now includes all commits from v0.22.0.

[statik]

@copilot rebase on main to minimize the changes

[Copilot]

@copilot rebase on main to minimize the changes

The previous rebase attempts left duplicate main commits in the branch history, making the merge base 912ae6b (far in the past). The actual file content is correct — only the 3 CI workflow files differ from main — but fixing the history requires a force-push, which I'm unable to perform.

To clean it up:

git fetch origin main
git checkout emurphy/restrict-screenshot-preview-workflow-to-write-access-only
git reset --hard origin/main
git cherry-pick cc4e246  # "add explicit roles restriction"
git cherry-pick 58b1cc8  # "pin gh-aw-actions/setup to commit SHA"
git push --force-with-lease origin emurphy/restrict-screenshot-preview-workflow-to-write-access-only

After that the PR will show only 3 files changed.