Fix: Compute minimal permissions for conclusion/safe_outputs jobs based on configured safe-outputs by Copilot · Pull Request #15518 · github/gh-aw

Copilot · 2026-02-13T22:07:41Z

Conclusion and safe_outputs jobs unconditionally requested discussions: write permission, causing 422 errors when GitHub App installations lacked Discussions permission. Jobs now compute minimal required permissions dynamically based on configured safe-outputs.

Changes

New: computePermissionsForSafeOutputs() in safe_outputs_permissions.go - analyzes safe-outputs config and returns minimal permission set
Updated: buildConclusionJob() uses computed permissions for job and GitHub App token
Updated: buildConsolidatedSafeOutputsJob() uses computed permissions, removed redundant permission merges
Tests: 20+ cases covering all safe-output types and permission combinations

Example

Before:

conclusion:
  permissions:
    contents: read
    issues: write
    pull-requests: write
    discussions: write  # ❌ Always present, even with no discussion safe-outputs

After with add-labels only:

conclusion:
  permissions:
    contents: read
    issues: write
    pull-requests: write  # ✓ No discussions: write

After with create-discussion:

conclusion:
  permissions:
    contents: read
    discussions: write
    issues: write
    pull-requests: write  # ✓ Includes discussions: write only when needed

All 150 repository workflows recompiled with corrected permissions.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name ache/go/1.25.0/x64/pkg/tool/linu-buildmode=exe (http block)
- Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name .cfg (http block)
- Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name tions/setup/node_modules/.bin/sh-buildmode=exe (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/artifacts-summary.md 64/pkg/tool/linux_amd64/vet /usr/bin/infocmp extensions.objecgit .cfg p/bin/git infocmp -1 xterm-color bash (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git /tmp/gh-aw-test-git config /usr/bin/git git rev-�� --show-toplevel l /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel infocmp /usr/bin/git git rev-�� --show-toplevel git /usr/local/.ghcup/bin/bash --show-toplevel git /usr/bin/git bash (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v2
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/cgo /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha --show-toplevel 64/pkg/tool/linu-buildtags $name) { hasDiscussionsEnabled } } --exact-match --tags /usr/bin/git git e-ou�� --show-toplevel git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel gh /usr/bin/git git rev-�� i-inference/git/ref/tags/v1 git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha /repos/actions/github-script/git/ref/tags/v8 --jq /usr/bin/git ath ../../../.prgit --local x_amd64/vet git conf�� 1920-17384/test-2680605351/.github/workflows remote.origin.url /usr/bin/git [email protected]/spew/bgit [email protected]/spew/crev-parse x_amd64/link git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --count 88709357ab6241f35836e90efda97f804fcf636c..HEAD /usr/bin/git --show-toplevel git 975676/b416/vet.--show-toplevel git rev-�� 2059-24018/test-763449378/.github/workflows git /usr/bin/git --show-toplevel git /opt/hostedtoolc--show-toplevel git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha .github/workflows/test.md 64/pkg/tool/linu-tests ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha --show-toplevel 64/pkg/tool/linu-buildtags /usr/bin/git --exclude-standagit .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --git-dir 64/pkg/tool/linu-tests /usr/bin/infocmp --noprofile .cfg 64/pkg/tool/linu--show-toplevel infocmp (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha user.email [email protected] (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 1696309051/.github/workflows (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /opt/hostedtoolcache/node/24.13.0/x64/bin/make se 8481119/b019/vetrev-parse de_modules/.bin/--show-toplevel make test�� (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha user.name Test User /usr/bin/git rt /tmp/go-build267rev-parse h git conf�� user.email [email protected] /usr/bin/git agent-persona-exgit est.go 0/x64/bin/node git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� nner/work/gh-aw/gh-aw/actions/setup/sh/sanitize_path.sh' ':/usr/bin:::/usr/local/bin:' && echo "git git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� tch git /usr/bin/git --show-toplevel /opt/hostedtoolc-C .cfg git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel git (http block)
https://api.github.com/repos/actions/download-artifact/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v6 --jq .object.sha --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git nner/work/gh-aw/git git /usr/bin/git git rev-�� --show-toplevel /systemd-executor /usr/bin/git --show-toplevel git /usr/bin/gh git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolc-C tnet/tools/bash git rev-�� --show-toplevel git repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/download-artifact/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolc-C ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile /usr/bin/git --show-toplevel git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v7
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha /usr/bin/git gh /usr/bin/git /usr/bin/git git At,event,headBra--exclude-standard git rev-�� --show-toplevel x_amd64/vet /usr/bin/git --show-toplevel git /opt/hostedtoolclog.showsignature=false git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha /usr/bin/git gh /usr/bin/git list --repo x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git --show-toplevel (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/infocmprun git rev-�� --show-toplevel infocmp /usr/bin/git xterm-color git /usr/bin/bash git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --get-regexp --global x_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ath ../../../.pr**/*.json --local x_amd64/vet credential.usernsh (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha --show-toplevel git /usr/bin/git 2059-24018/test-infocmp git /usr/bin/git git rev-�� to pkg/workflow/data/action_pins.json..." git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --git-dir -tests /opt/hostedtoolcache/node/24.13.0/x64/bin/node --exclude-standagit --others ode_modules/.bin--show-toplevel node estl�� /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/archie.md 64/pkg/tool/linu--json /opt/hostedtoolcache/node/24.13.0/x64/bin/node --noprofile .cfg 64/pkg/tool/linu--show-toplevel node (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git 1920-17384/test-git -buildtags /usr/bin/git git rev-�� tags/v5 git /usr/bin/git --show-toplevel -tests /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git x_amd64/vet 445772/001 git /usr/bin/git x_amd64/vet rev-�� --show-toplevel git /usr/bin/git --show-toplevel infocmp /usr/bin/git git (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git 64/bin/bash git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git 4012538207/custogit ache/go/1.25.0/x-C /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
- Triggering command: `/usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --get-regexp - Added comprehensive tests for computePermissionsForSafeOutputs helper

Updated TestConclusionJob to check permissions based on configured safe-outputs
All tests now pass /usr/bin/infocmp b/workflows git x_amd64/cgo infocmp -1 xterm-color x_amd64/cgo /usr/bin/git xterm-color git /usr/bin/git git` (http block)

Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git --get-regexp ^remote\..*\.gh-rev-parse /usr/bin/git git -C /tmp/gh-aw-test-runs/20260213-222059-24018/test-4030904682 config /usr/bin/git remote.origin.urgit git /usr/bin/git git (http block)

Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha xterm-color git /usr/bin/git --get remote.origin.urrev-parse /usr/bin/git | tr '\n' ':')$PATH"; [ -n "$GO-f rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/infocmprun git (http block)

https://api.github.com/repos/actions/setup-node/git/ref/tags/v4

Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha 31670188/001 Add workflow x_amd64/link (http block)

Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git -bool -buildtags /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git .md md (http block)

Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha 181136707/001 git x_amd64/vet /tmp/gh-aw-test-git rev-parse layTitle x_amd64/vet rev-�� --show-toplevel git /usr/bin/git --show-toplevel infocmp /usr/bin/git git (http block)

https://api.github.com/repos/actions/setup-node/git/ref/tags/v6

Triggering command: `/usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha xterm-color - Added comprehensive tests for computePermissionsForSafeOutputs helper

Updated TestConclusionJob to check permissions based on configured safe-outputs
All tests now pass /usr/bin/infocmp --show-toplevel git x_amd64/compile infocmp -1 xterm-color x_amd64/compile /usr/bin/git xterm-color git /usr/bin/git git` (http block)

Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git view --json /usr/bin/git git rev-�� --show-toplevel git /usr/bin/gh --show-toplevel git /usr/bin/git gh (http block)

Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha xterm-color git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)

https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v6

Triggering command: `/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v6 --jq .object.sha --show-toplevel - Added comprehensive tests for computePermissionsForSafeOutputs helper

Updated TestConclusionJob to check permissions based on configured safe-outputs
All tests now pass /usr/bin/infocmp --show-toplevel git x_amd64/vet infocmp -1 xterm-color x_amd64/vet /usr/bin/git xterm-color infocmp /usr/bin/git git` (http block)

Triggering command: `/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v6 --jq .object.sha xterm-color - Added comprehensive tests for computePermissionsForSafeOutputs helper

Updated TestConclusionJob to check permissions based on configured safe-outputs
All tests now pass /usr/bin/infocmp --show-toplevel git x_amd64/vet infocmp -1 xterm-color x_amd64/vet /usr/bin/git xterm-color infocmp /usr/bin/git git` (http block)

Triggering command: `/usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v6 --jq .object.sha --get-regexp - Added comprehensive tests for computePermissionsForSafeOutputs helper

Updated TestConclusionJob to check permissions based on configured safe-outputs
All tests now pass /usr/bin/infocmp --show-toplevel git x_amd64/vet infocmp -1 xterm-color x_amd64/vet /usr/bin/git xterm-color git /usr/bin/git git` (http block)

https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0

Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel git /usr/bin/git git f]\{�� --show-toplevel git /usr/bin/git 2059-24018/test-gh /opt/hostedtoolcapi sh git (http block)

Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolcapi nfig/composer/ve/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 git (http block)

Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel git e/git-upload-pack 2059-24018/test-git git .cfg git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git 6986491/b001/wor/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)

https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6

Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� 40\} tch /usr/bin/git --show-toplevel /opt/hostedtoolcapi /usr/bin/git git (http block)

Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel git e/git /ref/tags/v8 git /usr/bin/git e/git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolc-C ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)

Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)

https://api.github.com/repos/docker/login-action/git/ref/tags/v3

Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� TOKEN"; }; f store TOKEN"; }; f store /usr/bin/git --show-toplevel /opt/hostedtoolcapi /usr/bin/git git (http block)

Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� ]*:[[:space:]]*"remote.origin.url git /usr/bin/git --show-toplevel /opt/hostedtoolc-C ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)

https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5

Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git 2059-24018/test-infocmp git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git ithub/workflows /opt/hostedtoolcapi /usr/bin/git git (http block)

Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git .cfg git rev-�� --show-toplevel git re-branch --show-toplevel /opt/hostedtoolc-C ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)

https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3

Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolcapi ache/node/24.13./repos/actions/setup-go/git/ref/tags/v6 git (http block)

Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git ithub/workflows /opt/hostedtoolc-C ash git (http block)

Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel git /usr/bin/git 2059-24018/test-git git /usr/bin/git git rev-�� tch git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)

https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts

Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 (http block)

Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet ps --show-toplevel qBSgoBRlrikz /usr/bin/git ps rev-�� --show-toplevel git /usr/bin/git ithub-script/gitgit 64/pkg/tool/linurev-parse 6798557/b370/vet--show-toplevel git (http block)

Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 64/pkg/tool/linux_amd64/vet /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git cfg git (http block)

https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts

Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 (http block)

Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 -tests Name,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle m0s (http block)

Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 --package-lock-only de/node/bin/bash --show-toplevel 8B/ff7SIqPNAJJHUrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)

https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts

Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 (http block)

Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 -tests ortcfg.link (http block)

Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 --package-lock-only 0/x64/bin/bash --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/bash runs/20260213-22git 64/pkg/tool/linurev-parse /usr/bin/git bash (http block)

https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts

Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 (http block)

Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 -tests /home/REDACTED/.config/composer/vendor/bin/sh (http block)

Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet 64/pkg/tool/linux_amd64/vet 1920-17384/test-git 64/pkg/tool/linuinit /usr/bin/git 64/pkg/tool/linux_amd64/vet rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse 6798557/b373/vet--show-toplevel git (http block)

https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts

Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 -A x_amd64/link buildUploadAssetgit pkg/workflow/comrev-parse (http block)

Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 -tests /home/REDACTED/.dotnet/tools/sh re re ndor/bin/sh sh -c runs/20260213-22.github/workflows/test.md (http block)

Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet 64/pkg/tool/linux_amd64/vet 1920-17384/test-git 64/pkg/tool/linurev-parse (http block)

https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts

Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 (http block)

Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 -tests 9450303/b379=> (http block)

Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet 64/pkg/tool/linux_amd64/vet --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git 64/pkg/tool/linux_amd64/vet rev-�� --show-toplevel git /usr/bin/git --get remote.origin.urrev-parse 6798557/b379/vet--show-toplevel git (http block)

https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts

Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 (http block)

Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 c /usr/local/.ghcup/bin/sh - (http block)

Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git runs/20260213-22git 64/pkg/tool/linurev-parse 6798557/b382/vet--show-toplevel git (http block)

https://api.github.com/repos/github/gh-aw/actions/workflows

Triggering command: /usr/bin/gh gh workflow list --json name,state,path (http block)

Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)

Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)

https://api.github.com/repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3

Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/bash git rev-�� /gh-aw bash bin/node source '/home/ruinfocmp git /usr/bin/git git (http block)

https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0

Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha ithub-script/git/ref/tags/v8 **/*.cjs /home/REDACTED/work/gh-aw/node_modules/.bin/node **/*.json --ignore-path ../../../.pretti--show-toplevel node /hom�� 2680605351/.github/workflows l /usr/bin/git --ignore-path ../../../.pretti-1 x_amd64/compile git (http block)

Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel 9450303/b389/gitutil.test /usr/bin/git t0 (http block)

Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel 5836e90efda97f804fcf636c..HEAD /usr/bin/git --show-toplevel gh cfg git rev-�� 763449378/.github/workflows git /usr/bin/find --show-toplevel git ache/go/1.25.0/xview find (http block)

https://api.github.com/repos/githubnext/agentics/git/ref/tags/-

Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 975676/b368/cli.api /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)

https://api.github.com/repos/nonexistent/repo/actions/runs/12345

Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion (http block)

Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion in:/usr/local/bigit 64/pkg/tool/linurev-parse /usr/bin/infocmp--show-toplevel git rev-�� --show-toplevel infocmp /usr/bin/git xterm-color x_amd64/vet /home/REDACTED/.co--show-toplevel git (http block)

Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion run --auto /usr/bin/git git rev-�� --show-toplevel 5836e90efda97f804fcf636c /usr/bin/git --show-toplevel infocmp cfg git (http block)

https://api.github.com/repos/owner/repo/actions/workflows

Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/vet http.https://gitnode th centralized p/home/REDACTED/.npm/_npx/b388654678d519d9/node_modules/.bin/prettier (http block)

Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state .cfg (http block)

Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo bin/node (http block)

https://api.github.com/repos/test-owner/test-repo/actions/secrets

Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name (http block)

Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name b/workflows 8481119/b219/vet.cfg ndor/bin/sh able_5e3136ca-fcgit (http block)

Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel /opt/hostedtoolcremote.origin.url /usr/bin/git te '../../../**/git stmain.go 0/x64/bin/node /usr/bin/git remo�� -v ache/go/1.25.0/x64/pkg/tool/linux_amd64/link /usr/bin/git SameOutput477215git (http block)

https://api.github.com/user

Triggering command: /usr/bin/gh gh api user --jq .login pkg/workflow/action_resolver_test.go pkg/workflow/action_sha_checker.go pkg/workflow/action_sha_checker_integration_test.go pkg/workflow/action_sha_checker_test.go pkg/workflow/action_sha_validation_test.go pkg/workflow/activation_checkout_test.go pkg/workflow/activation_outputs_always_declared_test.go (http block)

Triggering command: /usr/bin/gh gh api user --jq .login (http block)

Triggering command: /usr/bin/gh gh api user --jq .login kflow.test 8481119/b048/vet.cfg 64/bin/node (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled

Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

This section details on the original issue you should resolve

<issue_title>Conclusion job should not request discussions: write when workflow has no discussion-related safe-outputs</issue_title>
<issue_description>🤖 Filed by AI

Problem

The compiled .lock.yml conclusion job always requests discussions: write permission — both in the job's permissions: block and via permission-discussions: write on the GitHub App token step — even when the workflow has no discussion-related safe-outputs configured (e.g., no create-discussion, close-discussion, update-discussion).

This causes a 422 error when the GitHub App installation doesn't have the Discussions permission granted:
RequestError [HttpError]: The permissions requested are not granted to this installation.
Additionally, permission-discussions is flagged as an unexpected input by actions/[email protected]:
##[warning]Unexpected input(s) 'permission-discussions', valid inputs are [...]
Reproduction

Create a workflow with only issue/label-related safe-outputs (no discussions):
---
on:
  workflow_dispatch:
permissions:
  contents: read
  issues: read
tools:
  github:
    toolsets: [issues]
    read-only: true
    app:
      app-id: ${{ secrets.APP_ID }}
      private-key: ${{ secrets.APP_PRIVATE_KEY }}
      owner: 'myorg'
      repositories: ['myrepo']
safe-outputs:
  app:
    app-id: ${{ secrets.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}
    owner: 'myorg'
    repositories: ['myrepo']
  add-labels:
    max: 5
  remove-labels:
    allowed: ["triage-needed"]
    max: 2
  assign-to-user:
    max: 1
---
# My Workflow
Do something with issues only.
Compile: gh aw compile

Observe the generated conclusion job in .lock.yml:
  conclusion:
    permissions:
      contents: read
      discussions: write    # <-- not needed
      issues: write
      pull-requests: write
    steps:
      - name: Generate GitHub App token
        uses: actions/create-github-app-token@...
        with:
          permission-discussions: write   # <-- not needed, also not a valid input
Run the workflow — the conclusion job fails at the token step if the GitHub App doesn't have Discussions permission.

Expected Behavior

The conclusion job should only request permissions that are actually needed based on the workflow's configured safe-outputs. If no discussion-related safe-outputs are configured, discussions: write should not be included in either the job permissions or the app token request.

Actual Behavior

discussions: write is unconditionally added to every conclusion job regardless of whether any discussion-related safe-outputs are configured.

Environment

gh-aw version: v0.43.9 and v0.43.21 (both affected)

actions/create-github-app-token: v2.2.1

Additional Context

Failed run: https://github.com/microsoft/vscode-engineering/actions/runs/22003392790/job/63581823271

The same principle of least privilege should ideally apply to pull-requests: write — if the workflow only uses issue-related safe-outputs, pull-requests: write shouldn't be requested either.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes Conclusion job should not request discussions: write when workflow has no discussion-related safe-outputs #15516

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Changeset

Type: patch
Description: Compute conclusion and safe-outputs job permissions from configured safe-outputs so discussions write is requested only when needed.

Generated by Changeset Generator

…safe_outputs jobs - Created safe_outputs_permissions.go with centralized permission computation - Updated notify_comment.go to use computed permissions instead of hardcoded ones - Updated compiler_safe_outputs_job.go to use computed permissions - Removed all redundant permissions.Merge() calls - Verified workflows without discussion safe-outputs no longer request discussions: write Co-authored-by: pelikhan <[email protected]>

…job tests - Added comprehensive tests for computePermissionsForSafeOutputs helper - Updated TestConclusionJob to check permissions based on configured safe-outputs - All tests now pass with dynamic permission calculation Co-authored-by: pelikhan <[email protected]>

- All 150 workflows recompiled successfully - Conclusion jobs now only request permissions based on configured safe-outputs - Verified that workflows without discussion safe-outputs no longer request discussions: write Co-authored-by: pelikhan <[email protected]>

github-actions · 2026-02-13T23:23:26Z

🧪 Smoke Project is now testing project operations...

github-actions · 2026-02-13T23:23:28Z

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

github-actions · 2026-02-13T23:23:32Z

✅ Changeset Generator completed successfully!

github-actions · 2026-02-13T23:23:32Z

🧪 Smoke Temporary ID is now testing temporary ID functionality...

github-actions · 2026-02-13T23:23:32Z

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

github-actions · 2026-02-13T23:23:33Z

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

github-actions · 2026-02-13T23:26:24Z

✅ Smoke Temporary ID completed successfully. Temporary ID validation passed.

github-actions · 2026-02-13T23:26:50Z

Agent Container Tool Check

Tool	Status	Version
bash	✅	5.2.21
sh	✅	available
git	✅	available
jq	✅	1.7
yq	✅	4.52.2
curl	✅	available
gh	✅	2.86.0
node	✅	available
python3	✅	available
go	✅	1.24.13
java	✅	available
dotnet	✅	available

Result: 12/12 tools available ✅

AI generated by Agent Container Smoke Test

github-actions · 2026-02-13T23:27:01Z

✅ Smoke Project completed successfully. All project operations validated.

github-actions · 2026-02-13T23:27:46Z

Smoke Test Results

Last 2 Merged PRs: #15513, #15512
Queried via GH CLI: #15520, #15519

✅ GitHub MCP
✅ Safe Inputs GH CLI
❌ Serena MCP (not available)
✅ Playwright
✅ File Operations
✅ Bash Tools
✅ Discussion Interaction
✅ Build gh-aw
✅ Workflow Dispatch
✅ PR Review

Overall: PARTIAL PASS (9/10)

cc: @Mossaka @Copilot

AI generated by Smoke Copilot

github-actions

Reviewed permissions changes across workflow files. The removal of unnecessary pull-requests: write permissions follows security best practices. Changes look good! ✅

AI generated by Smoke Copilot for #15518

github-actions · 2026-02-13T23:27:47Z

.github/workflows/agent-persona-explorer.lock.yml

      discussions: write
      issues: write
-      pull-requests: write
    outputs:


Removing pull-requests: write permission improves security posture by following least-privilege principle. Good change! 👍

github-actions · 2026-02-13T23:28:01Z

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

github-actions · 2026-02-13T23:29:06Z

PRs (merged):
feat: prefer Announcements category by default for create-discussion (#15513)
Document create-discussion announcement-capable category requirement (#15512)
GitHub MCP: ✅
Serena MCP (activate + find_symbol): ✅
Playwright title check: ✅
File write + bash cat: ✅
Build (make build): ✅
Overall: PASS

AI generated by Smoke Codex

Copilot

Pull request overview

This PR updates workflow compilation to apply least-privilege GitHub job/app-token permissions for the conclusion and consolidated safe_outputs jobs by deriving required scopes from the configured safe-outputs, avoiding unnecessary discussions: write requests that can fail for GitHub App installations without Discussions permission.

Changes:

Added computePermissionsForSafeOutputs() to compute minimal permissions from SafeOutputsConfig.
Updated buildConclusionJob() and buildConsolidatedSafeOutputsJob() to use computed permissions (and removed redundant merges).
Regenerated compiled workflow lock files to reflect the new permission sets.

Reviewed changes

Copilot reviewed 122 out of 122 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/workflow/safe_outputs_permissions.go	New helper to compute minimal permissions based on enabled safe-outputs.
pkg/workflow/safe_outputs_permissions_test.go	Table-driven tests covering many safe-output permutations and expected permission sets.
pkg/workflow/notify_comment.go	Conclusion job now uses computed permissions for both job permissions and GitHub App token scoping.
pkg/workflow/notify_comment_test.go	Updates expectations around conclusion job permissions based on configured safe-outputs.
pkg/workflow/compiler_safe_outputs_job.go	Consolidated safe_outputs job now uses computed permissions and removes inline permission merges.
.github/workflows/workflow-skill-extractor.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/workflow-normalizer.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/workflow-generator.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/weekly-issue-summary.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/video-analyzer.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/unbloat-docs.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/ubuntu-image-analyzer.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/typist.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/tidy.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/test-project-url-default.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/test-dispatcher.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/test-create-pr-error-handling.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/terminal-stylist.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/technical-doc-writer.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/super-linter.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/step-name-alignment.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/static-analysis-report.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/stale-repo-identifier.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/smoke-project.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/smoke-copilot.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/slide-deck-maintainer.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/sergo.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/semantic-function-refactor.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/security-compliance.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/schema-consistency-checker.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/safe-output-health.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/research.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/repository-quality-improver.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/repo-tree-map.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/repo-audit-analyzer.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/release.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/refiner.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/q.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/python-data-charts.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/prompt-clustering-analysis.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/portfolio-analyst.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/poem-bot.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/plan.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/org-health-report.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/notion-issue-summary.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/mergefest.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/mcp-inspector.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/lockfile-stats.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/layout-spec-maintainer.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/jsweep.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/issue-classifier.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/issue-arborist.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/instructions-janitor.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/hourly-ci-cleaner.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/gpclean.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/go-pattern-detector.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/go-logger.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/go-fan.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/glossary-maintainer.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/github-remote-mcp-auth-test.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/github-mcp-tools-report.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/github-mcp-structural-analysis.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/functional-pragmatist.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/firewall-escape.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/example-workflow-analyzer.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/duplicate-code-detector.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/docs-noob-tester.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/dictation-prompt.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/developer-docs-consolidator.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/dev.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/dependabot-go-checker.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/dependabot-burner.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/delight.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/deep-report.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-workflow-updater.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-testify-uber-super-expert.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-team-status.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-team-evolution-insights.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-syntax-error-quality.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-semgrep-scan.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-secrets-analysis.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-safe-output-optimizer.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-repo-chronicle.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-regulatory.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-performance-summary.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-observability-report.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-news.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-multi-device-docs-tester.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-malicious-code-scan.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-issues-report.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-firewall-report.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-file-diet.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-doc-updater.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-copilot-token-report.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-compiler-quality.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-code-metrics.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-cli-tools-tester.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/daily-choice-test.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/craft.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/copilot-session-insights.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/copilot-pr-prompt-analysis.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/copilot-pr-nlp-analysis.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/copilot-pr-merged-report.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/copilot-cli-deep-research.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/copilot-agent-analysis.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/commit-changes-analyzer.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/code-simplifier.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/code-scanning-fixer.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/cloclo.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/cli-version-checker.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/cli-consistency-checker.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/claude-code-user-docs-review.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/ci-coach.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/changeset.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/breaking-change-checker.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/bot-detection.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/blog-auditor.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/audit-workflows.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/artifacts-summary.lock.yml	Regenerated lock workflow with updated per-job permissions.
.github/workflows/agent-persona-explorer.lock.yml	Regenerated lock workflow with updated per-job permissions.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-02-13T23:29:33Z

pkg/workflow/compiler_safe_outputs_job.go

 	// Add GitHub App token minting step if app is configured
 	if data.SafeOutputs.App != nil {
 		consolidatedSafeOutputsJobLog.Print("Adding GitHub App token minting step")
-		// We'll compute permissions after collecting all step requirements
+		// Prepend GitHub App token step before other steps
+		appTokenSteps := c.buildGitHubAppTokenMintStep(data.SafeOutputs.App, permissions)
+		steps = append(steps, appTokenSteps...)
 	}


The GitHub App token minting step is being added twice: once immediately when safeOutputs.App != nil (before setup/artifact download), and again later in the function via the insertion logic that prepends appTokenSteps into steps. This will produce duplicate steps with the same id: safe-outputs-app-token, which breaks the workflow YAML (duplicate step IDs) and can also mint multiple tokens unexpectedly. Keep only one placement strategy (either append once at the correct insertion index, or remove the later insertion block).

Initial plan

12e6405

Copilot AI assigned Copilot and pelikhan Feb 13, 2026

Copilot started work on behalf of pelikhan February 13, 2026 22:07 View session

Copilot AI and others added 3 commits February 13, 2026 22:16

Copilot AI changed the title ~~[WIP] Fix conclusion job requesting discussions permission when not needed~~ Fix: Compute minimal permissions for conclusion/safe_outputs jobs based on configured safe-outputs Feb 13, 2026

Copilot AI requested a review from pelikhan February 13, 2026 22:28

Copilot finished work on behalf of pelikhan February 13, 2026 22:28

pelikhan approved these changes Feb 13, 2026

View reviewed changes

pelikhan marked this pull request as ready for review February 13, 2026 23:22

Copilot AI review requested due to automatic review settings February 13, 2026 23:22

pelikhan added the smoke label Feb 13, 2026

Copilot started reviewing on behalf of pelikhan February 13, 2026 23:23 View session

This was referenced Feb 13, 2026

[smoke-temporary-id] Test Parent: Temporary ID Validation #15521

Closed

[smoke-temporary-id] Sub-Issue 2: Test Different ID Length #15522

Closed

[smoke-temporary-id] Sub-Issue 1: Test Temporary ID References #15523

Closed

Add changeset [skip-ci]

507e576

github-actions bot mentioned this pull request Feb 13, 2026

Smoke Test: Copilot - 22006269790 #15524

Closed

github-actions bot added the smoke-copilot label Feb 13, 2026

github-actions bot removed the smoke label Feb 13, 2026

github-actions bot reviewed Feb 13, 2026

View reviewed changes

github-actions bot added the smoke-codex label Feb 13, 2026

pelikhan merged commit 4956963 into main Feb 13, 2026
1 check passed

pelikhan deleted the copilot/fix-conclusion-job-permissions branch February 13, 2026 23:29

Copilot AI reviewed Feb 13, 2026

View reviewed changes

This was referenced Feb 13, 2026

Update AWF to v0.16.5 and enable API proxy for Claude engine #15520

Closed

Smoke Test: Copilot - 22006514118 #15531

Closed

Conversation

Copilot AI commented Feb 13, 2026 • edited by github-actions bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Example

I tried to connect to the following addresses, but was blocked by firewall rules:

Problem

Reproduction

Expected Behavior

Actual Behavior

Environment

Additional Context

Comments on the Issue (you are @copilot in this section)

Changeset

Uh oh!

github-actions bot commented Feb 13, 2026

Uh oh!

github-actions bot commented Feb 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Feb 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Feb 13, 2026

Uh oh!

github-actions bot commented Feb 13, 2026

Uh oh!

github-actions bot commented Feb 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Feb 13, 2026

Uh oh!

github-actions bot commented Feb 13, 2026

Agent Container Tool Check

Uh oh!

github-actions bot commented Feb 13, 2026

Uh oh!

github-actions bot commented Feb 13, 2026

Smoke Test Results

Uh oh!

github-actions bot left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot Feb 13, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Feb 13, 2026

Uh oh!

github-actions bot commented Feb 13, 2026

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Copilot AI Feb 13, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Copilot AI commented Feb 13, 2026 •

edited by github-actions bot

Loading

github-actions bot commented Feb 13, 2026 •

edited

Loading

github-actions bot commented Feb 13, 2026 •

edited

Loading

github-actions bot commented Feb 13, 2026 •

edited

Loading