From 4af54413391873c8ae49b09ae64aea5a42eda0ca Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 23 Feb 2026 17:02:38 +0000
Subject: [PATCH 1/2] Initial plan


From 587eee080cc0a57297e898ccbc4e998cc251cf84 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 23 Feb 2026 17:17:50 +0000
Subject: [PATCH 2/2] fix: add repository-projects and organization-projects to
 permissions schema, handle all scope

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 pkg/parser/schema_test.go                    | 15 +++++++++++++--
 pkg/parser/schemas/main_workflow_schema.json | 10 ++++++++++
 pkg/workflow/permissions.go                  |  5 ++++-
 3 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/pkg/parser/schema_test.go b/pkg/parser/schema_test.go
index 240ccaefa6..d4d35f4792 100644
--- a/pkg/parser/schema_test.go
+++ b/pkg/parser/schema_test.go
@@ -744,7 +744,7 @@ func TestValidateMainWorkflowFrontmatterWithSchema(t *testing.T) {
 			errContains: "additional properties 'invalid_prop' not allowed",
 		},
 		{
-			name: "invalid permissions with unsupported repository-projects property",
+			name: "valid permissions with repository-projects property",
 			frontmatter: map[string]any{
 				"on": "push",
 				"permissions": map[string]any{
@@ -756,7 +756,18 @@ func TestValidateMainWorkflowFrontmatterWithSchema(t *testing.T) {
 					"repository-projects": "none",
 				},
 			},
-			wantErr: true,
+			wantErr: false,
+		},
+		{
+			name: "valid permissions with organization-projects property",
+			frontmatter: map[string]any{
+				"on": "push",
+				"permissions": map[string]any{
+					"contents":              "read",
+					"organization-projects": "write",
+				},
+			},
+			wantErr: false,
 		},
 		{
 			name: "valid claude engine with network permissions",
diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json
index 60dc14d800..d46a72dbb7 100644
--- a/pkg/parser/schemas/main_workflow_schema.json
+++ b/pkg/parser/schemas/main_workflow_schema.json
@@ -1582,6 +1582,16 @@
               "enum": ["read", "write", "none"],
               "description": "Permission level for pull requests (read/write/none). Controls access to create, edit, review, and manage pull requests."
             },
+            "repository-projects": {
+              "type": "string",
+              "enum": ["read", "write", "none"],
+              "description": "Permission level for repository projects (read/write/none). Controls access to manage repository-level GitHub Projects boards."
+            },
+            "organization-projects": {
+              "type": "string",
+              "enum": ["read", "write", "none"],
+              "description": "Permission level for organization projects (read/write/none). Controls access to manage organization-level GitHub Projects boards."
+            },
             "security-events": {
               "type": "string",
               "enum": ["read", "write", "none"],
diff --git a/pkg/workflow/permissions.go b/pkg/workflow/permissions.go
index bad5b59809..e2aaeb6597 100644
--- a/pkg/workflow/permissions.go
+++ b/pkg/workflow/permissions.go
@@ -44,11 +44,14 @@ func convertStringToPermissionScope(key string) PermissionScope {
 			return PermissionSecurityEvents
 		case "statuses":
 			return PermissionStatuses
+		case "all":
+			// "all" is a meta-key handled at the parser level; it is not a real scope
+			return ""
 		default:
 			return ""
 		}
 	}()
-	if scope == "" {
+	if scope == "" && key != "all" {
 		permissionsLog.Printf("Unknown permission scope key: %s", key)
 	}
 	return scope