Skip to content

Add missing permission scopes to schema and handle all meta-key in scope converter #17951

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 2 commits into from
Feb 23, 2026
+27 −3
Merged

Add missing permission scopes to schema and handle all meta-key in scope converter #17951

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4af5441
Initial plan
Copilot Feb 23, 2026
587eee0
fix: add repository-projects and organization-projects to permissions…
Copilot Feb 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 13 additions & 2 deletions pkg/parser/schema_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -744,7 +744,7 @@ func TestValidateMainWorkflowFrontmatterWithSchema(t *testing.T) {
errContains: "additional properties 'invalid_prop' not allowed",
},
{
name: "invalid permissions with unsupported repository-projects property",
name: "valid permissions with repository-projects property",
frontmatter: map[string]any{
"on": "push",
"permissions": map[string]any{
Expand All @@ -756,7 +756,18 @@ func TestValidateMainWorkflowFrontmatterWithSchema(t *testing.T) {
"repository-projects": "none",
},
},
wantErr: true,
wantErr: false,
},
{
name: "valid permissions with organization-projects property",
frontmatter: map[string]any{
"on": "push",
"permissions": map[string]any{
"contents": "read",
"organization-projects": "write",
},
},
wantErr: false,
},
{
name: "valid claude engine with network permissions",
Expand Down
10 changes: 10 additions & 0 deletions pkg/parser/schemas/main_workflow_schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1582,6 +1582,16 @@
"enum": ["read", "write", "none"],
"description": "Permission level for pull requests (read/write/none). Controls access to create, edit, review, and manage pull requests."
},
"repository-projects": {
"type": "string",
"enum": ["read", "write", "none"],
"description": "Permission level for repository projects (read/write/none). Controls access to manage repository-level GitHub Projects boards."
},
"organization-projects": {
"type": "string",
"enum": ["read", "write", "none"],
"description": "Permission level for organization projects (read/write/none). Controls access to manage organization-level GitHub Projects boards."
},
"security-events": {
"type": "string",
"enum": ["read", "write", "none"],
Expand Down
5 changes: 4 additions & 1 deletion pkg/workflow/permissions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,11 +44,14 @@ func convertStringToPermissionScope(key string) PermissionScope {
return PermissionSecurityEvents
case "statuses":
return PermissionStatuses
case "all":
// "all" is a meta-key handled at the parser level; it is not a real scope
return ""
default:
return ""
}
}()
if scope == "" {
if scope == "" && key != "all" {
permissionsLog.Printf("Unknown permission scope key: %s", key)
}
return scope
Expand Down
Loading