Skip to content

Comments

Add missing permission scopes to schema and handle all meta-key in scope converter#17951

Merged
pelikhan merged 2 commits intomainfrom
copilot/update-permissions-schema
Feb 23, 2026
Merged

Add missing permission scopes to schema and handle all meta-key in scope converter#17951
pelikhan merged 2 commits intomainfrom
copilot/update-permissions-schema

Conversation

Copy link
Contributor

Copilot AI commented Feb 23, 2026
edited
Loading

repository-projects and organization-projects were fully implemented as PermissionScope constants but absent from the JSON schema's permissions object (additionalProperties: false), silently breaking schema validation for any workflow using these scopes. Additionally, convertStringToPermissionScope had no case for all, which is a gh-aw meta-key (not a real GitHub Actions scope) handled upstream in the parser.

Changes

  • pkg/parser/schemas/main_workflow_schema.json — Added repository-projects and organization-projects as valid properties in the permissions object (between pull-requests and security-events)
  • pkg/workflow/permissions.go — Added case "all": to convertStringToPermissionScope that silently returns "" without logging; the all key is already guarded by if key == "all" { continue } in permissions_parser.go so it never reaches this function in practice, but the explicit case documents intent and suppresses spurious log output
  • pkg/parser/schema_test.go — Flipped the repository-projects test case from wantErr: true to wantErr: false; added a new test case covering organization-projects

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/bin/go docker pull�� rhysd/actionlint:latest go /usr/bin/git vJfs/RXbZu4YrorTgit GO111MODULE 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw gh 64/bin/go ache/go/1.25.0/x64/pkg/tool/linux_amd64/link rev-�� --show-toplevel sh 0/x64/bin/node npx prettier --wgit git 64/bin/go 0/x64/bin/node (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -json GO111MODULE 3377462/b124/vet.cfg GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE /home/REDACTED/work/gh-aw/gh-aw/actions/setup/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE node (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha 1422/001/stability-test.md GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env 1302-27666/test-2063104467/.github/workflows GO111MODULE .cfg GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha -json GO111MODULE de_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha bsliof7kT GO111MODULE Name,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE ortcfg env g/stringutil/ansi.go g/stringutil/identifiers.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha 6 GO111MODULE g_.a GOINSECURE GOMOD GOMODCACHE go env runs/20260223-171302-27666/test-2176319734/.github/workflows GO111MODULE 3377462/b291/vet.cfg GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha .actor }}, Unsafe: ${{ secrets.TOKEN }} node /usr/bin/git prettier --check 64/bin/go git rev-�� --show-toplevel qBSgoBRlrikz /usr/bin/git -json GOMOD 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go estl�� -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha /tmp/go-build2213377462/b001/_pkg_.a -trimpath /usr/bin/git -p main -lang=go1.25 git rev-�� --show-toplevel -dwarf=false /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link go1.25.0 -c=4 -nolocalimports /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel sh /usr/bin/git "prettier" --chegit node 64/bin/go git rev-�� --show-toplevel 8afRszc/J-5ptimq-dwarf=false /usr/bin/infocmp -json GO111MODULE 64/bin/go infocmp (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha GOSUMDB GOWORK 64/bin/go GOINSECURE GOMOD GOMODCACHE go env e=false GO111MODULE 64/bin/go GOINSECURE %H %ct %D GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build2213377462/b392/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/envutil/envutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/envutil/envutil_test.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE sh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build2213377462/b395/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE node (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -json GO111MODULE /opt/hostedtoolcache/go/1.25.0/x-test.short=true GOINSECURE GOMOD GOMODCACHE go env 1302-27666/test-903794802 GO111MODULE /opt/hostedtoolcache/go/1.25.0/x64/bin/go l GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha "prettier" --wriGOSUMDB git 64/bin/go gh-aw/actions/senode go /usr/bin/git go env h ../../../.pret.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -json GO111MODULE in/sh GOINSECURE GOMOD GOMODCACHE go env 771/001/stability-test.md GO111MODULE rgo/bin/bash GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha SameOutput1236541422/001/stabili-errorsas GO111MODULE /opt/hostedtoolcache/go/1.25.0/x-nilfunc GOINSECURE GOMOD GOMODCACHE go env runs/20260223-171302-27666/test-1180300341/.github/workflows GO111MODULE ache/node/24.13.0/x64/bin/node l GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha "prettier" --wriGOSUMDB git 64/bin/go gh-aw/actions/senode go /usr/bin/git go env h ../../../.pret.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -json GO111MODULE e_modules/.bin/sh GOINSECURE GOMOD ode-gyp-bin/node--show-toplevel go env ck 'scripts/**/*.js' --ignore-path .prettierignore GO111MODULE cal/bin/bash GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.0/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path g/repoutil/repouGOINSECURE g/repoutil/repouGOMOD 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 3314163/b398/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/pars-c GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env PvE4/A3YdMjAjifEGOSUMDB GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE 3314163/b415/importcfg (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha ty-test.md GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 379966173/.github/workflows GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE ode_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env on' --ignore-path ../../../.prettierignore GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 3314163/b405/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/stristatus GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE erignore GOMODCACHE ache/go/1.25.0/xGO111MODULE env 3314163/b407/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE b/gh-aw/pkg/stylconfig GOMODCACHE go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build2213377462/b381/cli.test /tmp/go-build2213377462/b381/cli.test -test.testlogfile=/tmp/go-build2213377462/b381/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go m/_n�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name 2b49db1fce8a6e2bGOINSECURE GO111MODULE 64/bin/go r code style"; tgo GOMOD GOMODCACHE ache/go/1.25.0/xGO111MODULE env 3314163/b397/_pkGOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[plan] Add missing permission scopes to schema and fix unknown all scope handling</issue_title>
<issue_description>## Context

From schema consistency discussion #17876 (2026-02-23 run, finding 6).

Objective

Fix the permissions schema so that all scopes implemented in Go code are also present in the JSON schema, and handle the all scope key gracefully.

Issues to Fix

1. repository-projects and organization-projects missing from schema

  • Files: pkg/workflow/permissions.go:39-42, pkg/parser/schemas/main_workflow_schema.json
  • These two scopes are fully implemented (PermissionRepositoryProj, PermissionOrganizationProj) but absent from the schema which uses additionalProperties: false.
  • Workflows using these scopes fail schema validation even though the runtime handles them correctly.
  • Add both scopes (repository-projects, organization-projects) as valid enum values to the permissions schema.

2. all scope key has no handler in convertStringToPermissionScope

  • File: pkg/workflow/permissions.go:28-47
  • The schema allows an all key (for all: read style permissions) but convertStringToPermissionScope has no case "all": branch.
  • Users who set permissions: all: write get a silent "Unknown permission scope key: all" log with no compilation error.
  • Either add a case "all": handler or remove all from the schema if it is not a valid GitHub Actions permission key.

Files to Modify

  • pkg/parser/schemas/main_workflow_schema.json
  • pkg/workflow/permissions.go

Acceptance Criteria

  • repository-projects and organization-projects are valid properties in the permissions schema
  • Workflows using repository-projects or organization-projects pass schema validation
  • The all scope is either handled in convertStringToPermissionScope or removed from the schema
  • Run make agent-finish with no errors before committing
  • Run make build after schema changes (schemas are embedded via //go:embed)

Generated by Plan Command for issue #discussion #17876

  • expires on Feb 25, 2026, 12:04 PM UTC

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@pelikhan
fix: add repository-projects and organization-projects to permissions…
587eee0 
… schema, handle all scope

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add missing permission scopes to schema and handle 'all' scope Add missing permission scopes to schema and handle all meta-key in scope converter Feb 23, 2026
@github-actions github-actions bot mentioned this pull request Feb 23, 2026
Closed
@pelikhan pelikhan marked this pull request as ready for review February 23, 2026 18:12
Copilot AI review requested due to automatic review settings February 23, 2026 18:12
@pelikhan pelikhan merged commit a98c64f into main Feb 23, 2026
8 checks passed
@pelikhan pelikhan deleted the copilot/update-permissions-schema branch February 23, 2026 18:15
Copilot AI reviewed Feb 23, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes schema validation failures for workflows using repository-projects and organization-projects permission scopes, and adds defensive handling for the all meta-key in the permission scope converter.

Changes:

  • Added missing repository-projects and organization-projects properties to the permissions object in the JSON schema
  • Added explicit case "all": handler in convertStringToPermissionScope to document intent and suppress spurious log output
  • Updated test case to validate that repository-projects and organization-projects are now accepted by the schema

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
pkg/parser/schemas/main_workflow_schema.json Added repository-projects and organization-projects as valid permission properties with proper enum values and descriptions
pkg/workflow/permissions.go Added explicit case "all": to return empty string with documentation comment, and updated log condition to exclude "all" key
pkg/parser/schema_test.go Changed repository-projects test from expecting error to expecting success, and added new test case for organization-projects

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

This was referenced Feb 23, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Add missing permission scopes to schema and fix unknown all scope handling

2 participants

@pelikhan