Skip to content

Add allow-workflows field for GitHub App workflows:write permission on safe-outputs#25776

Closed
Copilot wants to merge 7 commits intomainfrom
copilot/fix-auto-infer-permission-workflows
Closed

Add allow-workflows field for GitHub App workflows:write permission on safe-outputs#25776
Copilot wants to merge 7 commits intomainfrom
copilot/fix-auto-infer-permission-workflows

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 11, 2026
edited
Loading

When allowed-files targets .github/workflows/ paths, pushing requires workflows:write — a GitHub App-only permission the compiler never inferred. Users resorted to fragile sed injection post-compile.

Changes

  • New field allow-workflows: bool on create-pull-request and push-to-pull-request-branch configs
  • Permission computation: ComputePermissionsForSafeOutputs adds workflows: write when enabled (respects staged mode)
  • Compile-time validation: errors if allow-workflows: true without a valid safe-outputs.github-app (checks app-id and private-key are non-empty)
  • Schema + docs: JSON schema updated for both handlers; new section in safe-outputs-pull-requests.md; frontmatter-full.md regenerated

Usage

safe-outputs:
  github-app:
    app-id: ${{ vars.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}
  create-pull-request:
    allow-workflows: true
    allowed-files:
      - ".github/workflows/*.lock.yml"
    protected-files: allowed

The field is intentionally explicit rather than auto-inferred from allowed-files patterns, per maintainer guidance — this keeps the elevated permission visible and auditable.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -embedcfg /tmp/go-build911224592/b063/embedcfg -pack conf�� --local .cfg 64/pkg/tool/linu../../../.prettierignore (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ota=5% yHigh=170M 64/pkg/tool/linux_amd64/vet er -2.15.1.3-py3.12.egg .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build204504374/b415/importcfg -pack /tmp/go-build204504374/b415/_testmain.go tion�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 504374/b112/vet.rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go om/upstream/repo-test.paniconexit0 git (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel git repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } /tmp/gh-aw-test-git remote /opt/hostedtoolc--show-toplevel git ache�� --show-toplevel nly /usr/bin/git /tmp/TestHashStanode git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha GOMODCACHE x_amd64/compile /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� GOMODCACHE node /usr/bin/git ty-test.md itbranch_with_hyrev-parse 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha /usr/bin/git git /usr/bin/git --show-toplevel git /usr/bin/mkdir git rev-�� --show-toplevel mkdir (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha sistency_InlinedImports1430916565/001/noflag-a.md rev-parse /usr/bin/git 4000150888/001' 4000150888/001' -importcfg git -C /tmp/gh-aw-test-runs/20260411-102209-45727/test-901208309/.github/workflows l /opt/hostedtoolcache/node/24.14.1/x64/bin/node .js' --ignore-pagit GO111MODULE 64/bin/go node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha xterm-color git /usr/bin/git --show-toplevel 1/x64/bin/node /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha 3389616681 --auto 1/x64/bin/node l /usr/lib/git-cor/tmp/fuzz-expr-1192416847.js /usr/bin/git 1/x64/bin/node rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel sh /usr/bin/git "prettier" --chegit go 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git -json GO111MODULE Name,createdAt,s--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git 58 GO111MODULE /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE ache/node/24.14.--show-toplevel git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --get remote.origin.url /usr/bin/git ub/workflows GO111MODULE x_amd64/compile git rev-�� --git-dir x_amd64/compile /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /github.com/owner/repo.git remote.origin.url /usr/bin/git repo1684936761/0git GO111MODULE x_amd64/vet git conf�� user.name Test User /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git util.test GO111MODULE rtcfg.link git rev-�� --show-toplevel OpUI6xgANH-v6KNFAo/mFDodc1Uylrbu^remote\..*\.gh-resolved$ /usr/bin/git runs/20260411-10git GO111MODULE _.a git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git util.test GO111MODULE rtcfg.link git rev-�� --show-toplevel ucaT9ZeFc2kAZlPnX2/LKPpO0EjZIaEYTest commit /usr/bin/git -json GO111MODULE _.a git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel 64/pkg/tool/linuremote.origin.url /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -u origin /usr/bin/git 2125492029/.githgit git /usr/bin/git git rev-�� --show-toplevel git ache/node/24.14.1/x64/bin/node efaultBranchFromgit efaultBranchFromrev-parse /usr/bin/git ache/node/24.14.1/x64/bin/node (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/xGOMODCACHE GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha .js' --ignore-paGOSUMDB GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha GOMODCACHE go /usr/bin/git repo386634817/00git GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git m/workflows GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel fAvrYQV/RgVMl2J3gt4HO-FfX9_d /usr/bin/git --show-toplevel 504374/b455/scrirev-parse 1a277126eca547f7--show-toplevel git conf�� user.name Test User /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha add upstream /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git m/workflows GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel git ache/node/24.14.1/x64/bin/node ature-branch.patgit git /usr/bin/git ache/node/24.14.1/x64/bin/node s-96�� ere git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha t0 -importcfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile m0s -w (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -t security /usr/bin/git OUTPUT -d 168.63.129.16 git clon�� /tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch1865559096/001 /tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch1865559096/002/wo-test.short=truerev-parse /usr/bin/git 0 -j ACCEPT git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha --show-toplevel git /usr/local/sbin/iptables --show-toplevel git /usr/bin/git iptables -w runs/20260411-103644-56808/test-2588250031/.github/workflows security /usr/lib/git-core/git -nxv bash /usr/bin/git /usr/lib/git-core/git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha o actions/setup-cli/install.sh..-errorsas --local x_amd64/vet credential.usernsh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha get --local 64/pkg/tool/linu--ignore-path user.email (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha it} --local 64/pkg/tool/linux_amd64/vet committer.email (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --local .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --local .cfg 64/pkg/tool/linu../../../.prettierignore (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq .object.sha ./../pkg/workflow/js/**/*.json' --ignore-path 1766529/b141/vet.cfg r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq .object.sha 07a9d4d84ff7a3b (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq .object.sha ./../pkg/workflow/js/**/*.json' --ignore-path (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq .object.sha ./../pkg/workfloremote.origin.url 1766529/b083/vet.cfg x_amd64/compile (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq .object.sha ./../pkg/workflo-f 1766529/b061/vetowner=github 1/x64/bin/bash (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq .object.sha --exclude-standa-f --others x_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility se 1766529/b226/vet.cfg r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha HEAD .github/workflows/test.md /usr/bin/git ub/workflows GO111MODULE 64/bin/go git conf�� user.name Test User /usr/bin/git b/workflows GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel e/git /usr/bin/git --show-toplevel git /usr/bin/git git conf�� user.name Test User /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha 504374/b432/sliceutil.test -buildtags ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -errorsas -ifaceassert -nilfunc ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile pack�� 504374/b449/_pkg_.a --revs 504374/b449=> ntent.md --delta-base-offrev-parse -q git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha runs/20260411-103131-51406/test-32873883/.github/workflows git /usr/bin/git --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git git init�� --bare --initial-branch=develop /usr/bin/git --show-toplevel ache/go/1.25.8/xrev-parse k git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 1/x64/bin/node /usr/bin/git git diff�� runs/20260411-103644-56808/test-2125492029/.github/workflows HEAD /usr/bin/git l r96T_MkWd-kcE/_k/tmp/fuzz-expr-2252998048.js /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha ithub/workflows/agentic-observability-kit.md g/typeutil/convert_test.go ache/node/24.14.1/x64/bin/node -p main -lang=go1.25 /bin/sh t-10�� bility_SameInputSameOutput3427092403/001/stability-test.md git-receive-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitbranch_with_hyphen386773200/rev-parse /usr/bin/git go1.25.8 -c=4 -nolocalimports git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha runs/20260411-103131-51406/test-32873883/.github/workflows git /bin/sh --show-toplevel git -d /bin/sh -c git-upload-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch1865559096/001' l /usr/bin/git --show-toplevel 504374/b449/typerev-parse /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha /ref/tags/v9 git /home/REDACTED/.dotnet/tools/git --show-toplevel git /usr/bin/git git diff�� runs/20260411-103644-56808/test-542992059/.github/workflows HEAD /usr/lib/git-core/git --show-toplevel go /usr/bin/git /usr/lib/git-core/git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go env 3321326107 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 **/*.cjs ache/go/1.25.8/x64/bin/go **/*.json --ignore-path ../../../.prettiuser.name go env 1531421346/.github/workflows GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name git .cfg -aw-actions/git/git ache/go/1.25.8/xrev-parse /usr/bin/git git rev-�� --show-toplevel =master /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-buildtags @/tm�� GOMODCACHE go ache/go/1.25.8/x64/bin/go -json GO111MODULE 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GOPROXY 64/bin/go GOSUMDB GOWORK run-script/lib/n--show-toplevel go env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name git /usr/bin/git --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git git rev-�� 2450928162 git ache/node/24.14.1/x64/bin/node --show-toplevel 504374/b418/loggrev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc/home/REDACTED/work/gh-aw/gh-aw/pkg/timeutil/format_test.go -o /tmp/go-build1134034847/b427/_pkg_.a -trimpath ache/go/1.25.8/x64/bin/go -p github.com/githurev-parse -lang=go1.25 go (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go env -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name git /usr/bin/git --show-toplevel ache/go/1.25.8/xinit /usr/bin/git git rev-�� 2450928162 git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go env 3321326107 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 **/*.cjs ache/go/1.25.8/x64/bin/go **/*.json --ignore-path ../../../.prettiuser.email go env 1531421346/.github/workflows GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� faultBranchFromLsRemoteWithRealGitmaster_branch1865559096/001 faultBranchFromLsRemoteWithRealGitmaster_branch1865559096/002/wo-test.short=true /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go env -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 **/*.cjs ache/go/1.25.8/x64/bin/go **/*.json --ignore-path ../../../.pretti--show-toplevel go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name git e/git-upload-pack --show-toplevel ache/go/1.25.8/xrev-parse /usr/bin/git git faul�� rt git ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go env 3321326107 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 **/*.cjs ache/go/1.25.8/x64/bin/go **/*.json --ignore-path ../../../.pretti--show-toplevel go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name git /usr/bin/git -aw-actions/git/git 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch-s '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch-w /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 **/*.cjs ache/go/1.25.8/x64/bin/go **/*.json --ignore-path ../../../.pretti--show-toplevel go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name git e/git-upload-pack --show-toplevel 504374/b397/cli.rev-parse /usr/bin/git git faul�� --show-toplevel git /usr/bin/git --show-toplevel e/git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json GO111MODULE de_modules/.bin/GOMODCACHE GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 **/*.json --ignore-path go env -json GOMOD 64/pkg/tool/linux_amd64/vet tierignore GO111MODULE 64/bin/go 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
    • Triggering command: /tmp/go-build4204708375/b359/cli.test /tmp/go-build4204708375/b359/cli.test -test.paniconexit0 -test.count=1 -test.parallel=4 -test.timeout=5m0s -test.short=true 64/pkg/tool/linux_amd64/vet /usr/bin/git --show-toplevel git ache/node/24.14.1/x64/bin/node git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git .cfg git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git _.a GO111MODULE ache/go/1.25.8/xgit-upload-pack 'origin' git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --get epo}/actions/runs/12346/artifacts /usr/bin/git e git /usr/bin/git git init�� /usr/bin/git git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha Value: ${{ github.actor }} git /usr/bin/git --show-toplevel git 1/x64/bin/node git rese�� HEAD .github/workflows/test.md /usr/bin/git or.md git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha edOutput893733024/001 scripts/**/*.js 64/pkg/tool/linux_amd64/vet .prettierignore GO111MODULE 64/bin/go 64/pkg/tool/linux_amd64/vet env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha lGitmaster_branch1865559096/001' lGitmaster_branch1865559096/001' /home/REDACTED/.local/bin/node --show-current go /usr/bin/git node /opt�� ned-imports-enabled-with-body-content.md --package-lock-only /usr/bin/git --show-toplevel ache/go/1.25.8/xapi /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git -aw/git/ref/tagsgit git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git ErrorFormatting4git config /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git /usr/bin/git --get remote.origin.urrev-parse /usr/bin/git git 8655�� --show-toplevel git /home/REDACTED/go/bin/node GOMODCACHE go r,url,status,con/tmp/TestHashStability_SameInputSameOutput3082990181/001/stability-test.md node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha y-test.md git /usr/bin/git user.name Test User /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go 3526�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --show-toplevel git /usr/bin/git GOMODCACHE go /usr/bin/git git er_b�� --show-toplevel b2ab63770f71443d96543a7e /opt/hostedtoolcache/node/24.14.1/x64/bin/npm -m epo}/actions/runinit /usr/bin/git /opt/hostedtoolcache/node/24.14.1/x64/bin/npm (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --show-toplevel git /usr/bin/git add origin /usr/bin/git git 8655�� --show-toplevel git /home/REDACTED/.local/bin/node master go /usr/bin/git node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha ub/workflows git /usr/bin/git --git-dir git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git user.email test@example.comrev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha i/install.sh .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --check scripts/**/*.js tdrain.test .prettierignore GO111MODULE 64/bin/go tdrain.test 0450�� ility-kit.md GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel git me: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } user.email test@example.com/tmp/js-hash-test-2017001071/test-hash.js /opt/hostedtoolc/tmp/TestHashStability_SameInputSameOutput3082990181/001/stability-test.md node /opt�� ub/workflows --package-lock-only /usr/bin/git /home/REDACTED/wornode go /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel git /usr/bin/git /home/REDACTED/worgit show /usr/bin/git git rev-�� --show-toplevel bb532fc1..HEAD ache/go/1.25.8/x64/bin/node --show-toplevel git e/git git (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --ignore-path .prettierignore 64/bin/go 64/pkg/tool/linu/tmp/go-build204504374/b455/_testmain.go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel go /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel go /usr/bin/git git (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel git /usr/bin/git git rev-�� 77 git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo ache/go/1.25.8/xGOMODCACHE GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -nolocalimports -importcfg /tmp/go-build204504374/b412/importcfg -pack /tmp/go-build204504374/b412/_testmain.go tion�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git se 504374/b114/vet.rev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git /v1.0.0 rev-parse ache/node/24.14.--show-toplevel git (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build204504374/b397/cli.test /tmp/go-build204504374/b397/cli.test -test.testlogfile=/tmp/go-build204504374/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE tions/setup/nodeGOMODCACHE GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /tmp/go-build2790574799/b397/cli.test /tmp/go-build2790574799/b397/cli.test -test.testlogfile=/tmp/go-build2790574799/b397/testlog.txt -test.paniconexit0 -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true /usr/bin/git -m l 1/x64/bin/node git rev-�� --show-toplevel 1/x64/bin/node /usr/bin/git /tmp/gh-aw-test-git remote /usr/bin/git git (http block)
    • Triggering command: /tmp/go-build3561964861/b370/cli.test /tmp/go-build3561964861/b370/cli.test -test.testlogfile=/tmp/go-build3561964861/b370/testlog.txt -test.paniconexit0 -test.parallel=4 -test.timeout=5m0s -test.short=true git /usr/bin/git 3131-51406/test-git l /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link /usr/bin/git /tmp/go-build279git -importcfg /usr/bin/git git (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE ache/go/1.25.8/xGOMODCACHE GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel git /usr/bin/git --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel git /usr/bin/git --show-toplevel git /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel node /usr/bin/git /tmp/TestHashStagit git /opt/hostedtoolc--show-toplevel git (http block)
  • https://api.github.com/repos/test/repo
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch --show-toplevel git 1/x64/bin/node --show-toplevel git /usr/bin/git git t-ha�� vaScript2274744515/001/test-complex-frontmatter---thin git 1/x64/bin/node --show-toplevel git /usr/bin/git infocmp (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 11, 2026 that may be closed by this pull request
Compiler does not auto-infer workflows: write on GitHub App tokens when allowed-files targets .github/workflows/ #25767
Closed
Copilot AI and others added 2 commits April 11, 2026 10:41
@pelikhan
feat: add allow-workflows field for GitHub App workflows:write permis…
8497174 
…sion on safe-outputs

When allowed-files targets .github/workflows/ paths, pushing changes requires
the workflows permission which is GitHub App-only. Add explicit allow-workflows
boolean field to create-pull-request and push-to-pull-request-branch configs.

When allow-workflows: true:
- Adds workflows: write to the GitHub App token permissions
- Validates that safe-outputs.github-app is configured (errors if missing)

Closes #16232

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/504ba8f5-709f-4fc3-866f-9b24f08afb21

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
fix: improve allow-workflows validation per review feedback
f03d35a 
- Check GitHubApp.AppID and PrivateKey are non-empty (not just non-nil)
- Use strings.Join(handlers, ", ") in error message for multi-handler case
- Add test for empty GitHubApp config scenario

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/504ba8f5-709f-4fc3-866f-9b24f08afb21

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix compiler to auto-infer workflows permission on GitHub App tokens Add allow-workflows field for GitHub App workflows:write permission on safe-outputs Apr 11, 2026
Copilot AI requested a review from pelikhan April 11, 2026 10:45
@pelikhan pelikhan marked this pull request as ready for review April 11, 2026 10:46
Copilot AI review requested due to automatic review settings April 11, 2026 10:46
Copilot AI reviewed Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an explicit allow-workflows: bool flag to safe-outputs PR-related handlers so users can intentionally request the GitHub App–only workflows:write permission when their allowlist targets .github/workflows/** paths.

Changes:

  • Introduces allow-workflows on create-pull-request and push-to-pull-request-branch configs and wires it into safe-outputs permission computation (respects staged mode).
  • Adds compile-time validation that allow-workflows: true requires a non-empty safe-outputs.github-app (app-id + private-key).
  • Updates JSON schema + docs, and adds unit tests covering parsing/validation/permission emission.
Show a summary per file
File Description
pkg/workflow/safe_outputs_validation.go Adds validation enforcing GitHub App configuration when allow-workflows: true.
pkg/workflow/safe_outputs_permissions.go Adds workflows: write to computed permissions when allow-workflows is enabled (non-staged).
pkg/workflow/safe_outputs_allow_workflows_test.go New tests for permission computation, validation behavior, parsing, and compiled output.
pkg/workflow/push_to_pull_request_branch.go Adds AllowWorkflows field and parses allow-workflows from config.
pkg/workflow/create_pull_request.go Adds AllowWorkflows field to config struct (unmarshal handles parsing).
pkg/workflow/compiler.go Hooks the new validation into compile-time workflow validation.
pkg/parser/schemas/main_workflow_schema.json Adds allow-workflows to both safe-outputs PR handler schemas (plus regenerated description formatting).
docs/src/content/docs/reference/safe-outputs-pull-requests.md Documents allow-workflows usage/intent and GitHub App-only requirement.
docs/src/content/docs/reference/frontmatter-full.md Regenerated reference output including the new field and other schema-driven updates.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 9/9 changed files
  • Comments generated: 1

Comment thread pkg/workflow/safe_outputs_validation.go
Comment on lines +342 to +353
return fmt.Errorf(
"safe-outputs.%s: allow-workflows: true requires a GitHub App to be configured.\n"+
"The workflows permission is a GitHub App-only permission and cannot be granted via GITHUB_TOKEN.\n\n"+
"Add a GitHub App configuration to safe-outputs:\n\n"+
"safe-outputs:\n"+
" github-app:\n"+
" app-id: ${{ vars.APP_ID }}\n"+
" private-key: ${{ secrets.APP_PRIVATE_KEY }}\n"+
" %s:\n"+
" allow-workflows: true",
strings.Join(handlers, ", "), handlers[0],
)
Copy link

Copilot AI Apr 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error prefix uses strings.Join(handlers, ", ") in "safe-outputs.%s: ...", which can produce an invalid/ambiguous path like safe-outputs.create-pull-request, push-to-pull-request-branch. Consider reporting a single concrete config path (e.g. safe-outputs.<handler>.allow-workflows) and mentioning the full handler list elsewhere in the message, or emitting one error per handler for clearer attribution.

Copilot uses AI. Check for mistakes.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 11, 2026

🧪 Test Quality Sentinel Report

Test Quality Score: 90/100

Excellent test quality

Metric Value
New/modified tests analyzed 6
✅ Design tests (behavioral contracts) 6 (100%)
⚠️ Implementation tests (low value) 0 (0%)
Tests with error/edge cases 6 (100%)
Duplicate test clusters 0
Test inflation detected Yes (335 test lines vs ~74 production lines, ~4.5:1)
🚨 Coding-guideline violations 0

Test Classification Details

📋 All 6 tests (click to expand)
Test File Classification Notes
TestAllowWorkflowsPermission pkg/workflow/safe_outputs_allow_workflows_test.go:18 ✅ Design Table-driven; includes staged=true edge case (no workflows write when staged)
TestAllowWorkflowsValidationRequiresGitHubApp pkg/workflow/safe_outputs_allow_workflows_test.go:94 ✅ Design Table-driven; covers nil, missing app, empty app config, correct config
TestAllowWorkflowsParsing pkg/workflow/safe_outputs_allow_workflows_test.go:185 ✅ Design End-to-end parse from markdown; verifies AllowWorkflows and AllowedFiles parsed correctly
TestAllowWorkflowsParsingPushToPullRequestBranch pkg/workflow/safe_outputs_allow_workflows_test.go:222 ✅ Design End-to-end parse for push-to-pr-branch handler
TestAllowWorkflowsAppTokenPermission pkg/workflow/safe_outputs_allow_workflows_test.go:258 ✅ Design Verifies compiled YAML step contains permission-workflows: write
TestAllowWorkflowsCompileErrorWithoutGitHubApp pkg/workflow/safe_outputs_allow_workflows_test.go:298 ✅ Design Full compile pipeline; asserts error when allow-workflows lacks GitHub App

Flagged Tests — Minor Issues

⚠️ Minor: Bare require.NoError calls without assertion messages (safe_outputs_allow_workflows_test.go lines 322, 328, 329)

Classification: Guideline note (not a hard violation — affects setup-only calls)
Issue: Three setup-only assertions lack the descriptive message argument required by project guidelines:

require.NoError(t, os.MkdirAll(workflowsDir, 0755))   // line 322 — no message
require.NoError(t, err)                                 // line 328 — no message
require.NoError(t, os.Chdir(tmpDir))                   // line 329 — no message

Suggested improvement: Add short messages like "Failed to create workflows dir", "Failed to get working dir", "Failed to chdir to tmpDir". This makes failure output immediately actionable.

Test Inflation Note

The test file adds 335 lines while the production code it covers adds ~74 lines across 5 files (~4.5:1 ratio, exceeding the 2:1 threshold). This is a mechanical flag, not a real concern here: the extra lines come from well-structured table-driven test cases with meaningful row names and inline struct literals — exactly the pattern the project guidelines recommend. The inflation reflects thoroughness, not waste.

Language Support

Tests analyzed:

  • 🐹 Go (*_test.go): 6 tests — unit (//go:build !integration ✅)
  • 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

Verdict

Check passed. 0% of new tests are implementation tests (threshold: 30%). All 6 tests verify observable behavioral contracts — permission computation, validation rules, frontmatter parsing, and end-to-end compilation output. No coding-guideline violations detected.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

  • Assert on observable outputs, return values, or state changes
  • Cover error paths and boundary conditions
  • Would catch a behavioral regression if deleted
  • Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

  • Assert on internal function calls (mocking internals)
  • Only test the happy path with typical inputs
  • Break during legitimate refactoring even when behavior is correct
  • Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

🧪 Test quality analysis by Test Quality Sentinel · ● 509.6K ·

github-actions[bot]
github-actions bot approved these changes Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Test Quality Sentinel: 90/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). All 6 tests verify behavioral contracts. No coding-guideline violations detected.

@github-actions
docs(adr): add draft ADR-0002 for explicit allow-workflows opt-in
3f3a2e3 
Generated by Design Decision Gate workflow: documents the decision to
use an explicit allow-workflows field rather than auto-inferring
workflows:write from allowed-files patterns.
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 11, 2026

Commit pushed: a2f1585

🏗️ ADR gate enforced by Design Decision Gate 🏗️

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 11, 2026

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (411+ new lines in pkg/) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/0002-explicit-opt-in-allow-workflows-permission.md

The draft captures the central design decision: why allow-workflows is an explicit opt-in rather than auto-inferred from allowed-files patterns. This is already stated in the PR body ("intentionally explicit rather than auto-inferred... this keeps the elevated permission visible and auditable") — the ADR formalizes that rationale for future readers.

What to do next

  1. Review the draft ADR committed to your branch
  2. Complete the missing sections — verify the alternatives reflect what was actually considered, and add any context the AI couldn't infer (e.g., prior incidents, stakeholder constraints)
  3. Commit the finalized ADR to docs/adr/ on your branch (or it's already there if the draft is sufficient)
  4. Reference the ADR in this PR body by adding a line such as:

    ADR: ADR-0002: Explicit Opt-In for GitHub App workflows:write Permission

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

  • Context — What is the problem? What forces are at play?
  • Decision — What did you decide? Why?
  • Alternatives Considered — What else could have been done?
  • Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as numbered Markdown files (e.g., 0002-explicit-opt-in-allow-workflows-permission.md).

🔒 This PR has been marked as requesting changes. It cannot merge until an ADR is linked in the PR body.

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 214.8K ·

github-actions[bot]
github-actions bot requested changes Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR requires an Architecture Decision Record (ADR) before it can merge. It introduces 411+ new lines in pkg/ covering a new allow-workflows permission field, compile-time validation, and permission computation logic — all of which involve explicit design choices that warrant documentation.

A draft ADR has been generated and committed to your branch at docs/adr/0002-explicit-opt-in-allow-workflows-permission.md. Please review, finalize, and link it in the PR body. See the comment above for instructions.

@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 11, 2026

@copilot merge main, recompile, fix conflicts, review comments

Copilot AI and others added 2 commits April 11, 2026 11:04
Merge remote-tracking branch 'origin/main' into copilot/fix-auto-infe…
4052686 
…r-permission-workflows

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
fix: use concrete config path in allow-workflows validation error
10fb324 
Use safe-outputs.<handler>.allow-workflows instead of ambiguous joined
handler list in the error prefix. Also merged main and recompiled.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/81963750-4256-4d7a-909b-0741ecff190c

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 11, 2026
edited
Loading

@copilot merge main, recompile, fix conflicts, review comments

Done in 10fb324 — merged main, recompiled all 187 workflows (no conflicts), and fixed the review comment about the ambiguous error prefix (now uses safe-outputs.<handler>.allow-workflows instead of a joined handler list).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw V7gMIct/K2EzTHHp-C (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /usr/bin/git GOINSECURE GOMOD GOMODCACHE git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node /opt�� prettier --check 64/bin/go **/*.ts **/*.json --ignore-path golangci-lint (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel GOPROXY /usr/bin/git GOSUMDB GOWORK 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE x_amd64/asm git rev-�� --show-toplevel x_amd64/asm /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel node /usr/bin/git prettier --check 64/bin/go git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha mit} (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha che/go-build/74/GOINSECURE GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcGOPROXY -o /tmp/go-build330GOSUMDB -trimpath 64/bin/go -d main -lang=go1.25 go (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq .object.sha 07a9d4d84ff7a3b (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel GOPROXY /usr/bin/git GOSUMDB GOWORK 64/bin/go git rev-�� --show-toplevel go /usr/bin/git sTgb/Yr-IEH7B-fE/bin/sh GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@github-actions github-actions bot mentioned this pull request Apr 11, 2026
Closed
@pelikhan
Copy link
Copy Markdown
Collaborator

pelikhan commented Apr 11, 2026

@copilot merge main and recompile

Merge remote-tracking branch 'origin/main' into copilot/fix-auto-infe…
afca62e 
…r-permission-workflows

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 11, 2026
edited
Loading

@copilot merge main and recompile

Done in afca62e — merged main (no conflicts), rebuilt, and recompiled all 187 workflows successfully.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw voBTUO1/IABRy0PV-C (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha com&gt; (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v7 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v4 --jq .object.sha 07a9d4d84ff7a3b (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI added a commit that referenced this pull request Apr 11, 2026
@pelikhan
feat: add allow-workflows field for GitHub App workflows:write permis…
135386d 
…sion on safe-outputs (#25776)

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/68aaa733-6049-46fd-9e04-278b12b3a09b

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI mentioned this pull request Apr 11, 2026
Merged
pelikhan pushed a commit that referenced this pull request Apr 11, 2026
feat: add allow-workflows field for GitHub App workflows:write permis…
2c5e76c 
…sion on safe-outputs (#25776) (#25817)
@pelikhan pelikhan closed this Apr 11, 2026
github-actions bot added a commit that referenced this pull request Apr 13, 2026
@github-actions
docs: update glossary - weekly full scan 2026-04-13
460b08d 
Add three new glossary entries and update one existing entry based on
changes from the past 7 days:

- Add 'Allow Workflows (allow-workflows:)' — opt-in field for workflow
  file changes via GitHub App token (PR #25776/#25817)
- Add 'Allowed Events (allowed-events:)' — review event type filter for
  submit-pull-request-review (PR #25484)
- Add 'Effective Tokens' — weighted token count for cost estimation,
  referenced across audit, cost-management, and footers docs
- Update 'Integrity Filtering' to mention trusted-users field
  (PR #25545 documented all integrity-filtering inputs)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Apr 13, 2026
Merged
3 tasks
@github-actions github-actions bot deleted the copilot/fix-auto-infer-permission-workflows branch April 19, 2026 02:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@github-actions github-actions[bot] github-actions[bot] requested changes

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Compiler does not auto-infer workflows: write on GitHub App tokens when allowed-files targets .github/workflows/

3 participants

@pelikhan