Skip to content

[audit] Critical: Audit Workflow Cannot Execute - Permissions Stripped During Compilation #1340

New issue
New issue
Closed as not planned
Closed as not planned
[audit] Critical: Audit Workflow Cannot Execute - Permissions Stripped During Compilation#1340
Labels
agentic-workflowsauditautomationbugSomething isn't workingcriticalpermissions
@github-actions

Description

@github-actions
github-actions
bot
opened on Oct 8, 2025

🔍 Agentic Workflow Audit Report - 2025-10-08

🚨 Critical Finding

The audit workflow cannot execute its intended function due to a critical compilation issue that strips permissions from the workflow definition.

Audit Summary

  • Period: Unable to complete - blocked by permissions issue
  • Run ID: 18329959236
  • Workflows Analyzed: 0 (unable to collect data)
  • Critical Issues Found: 1
  • Status: ❌ BLOCKED

Critical Issue: Missing Permissions

Problem Description

The audit workflow is defined in .github/workflows/audit-workflows.md with the following permissions:

permissions:
  contents: read
  actions: read

However, after compilation by gh-aw compile, the resulting .github/workflows/audit-workflows.lock.yml file contains:

permissions: {}

Location in compiled file: Line 12 of audit-workflows.lock.yml

Impact

Without these permissions, the audit workflow:

  • ❌ Cannot access GitHub Actions API
  • ❌ Cannot download workflow run logs via gh CLI
  • ❌ Cannot read workflow run data or artifacts
  • ❌ Cannot perform any meaningful audit analysis

Errors Encountered

  1. GitHub CLI Authentication Failure:

    ./gh-aw logs --start-date -1d -o ./audit-logs --verbose
error: GitHub CLI authentication required. Run 'gh auth login' first

  2. GitHub API 403 Forbidden:

    GET https://api.github.com/user: 403 Resource not accessible by integration

Both errors stem from the workflow having no GITHUB_TOKEN available due to empty permissions.

Root Cause Analysis

The gh-aw compile command appears to be stripping or not preserving the permissions field from the source .md file when generating the compiled .lock.yml file.

Source file (.github/workflows/audit-workflows.md):

  • ✅ Contains permissions.contents: read
  • ✅ Contains permissions.actions: read

Compiled file (.github/workflows/audit-workflows.lock.yml):

  • ❌ Contains permissions: {} (empty)

Recommendations

1. CRITICAL - Fix Compilation Process (Priority: P0)

Investigate and fix the gh-aw compile command to:

  • Preserve permissions fields from source .md files
  • Copy them correctly to compiled .lock.yml files
  • Add validation to ensure required permissions are not stripped

Files to investigate:

  • Compilation logic in gh-aw CLI
  • YAML processing/generation code
  • Workflow template handling

2. HIGH - Test Other Workflows (Priority: P1)

Check if other compiled workflows are also affected:

  • artifacts-summary.lock.yml
  • brave.lock.yml
  • changeset-generator.lock.yml
  • ci-doctor.lock.yml
  • cli-version-checker.lock.yml
  • And others...

Run: grep -A2 "^permissions:" .github/workflows/*.lock.yml to audit all compiled workflows.

3. MEDIUM - Add Compilation Validation (Priority: P2)

Enhance the compilation process to:

  • Validate that compiled workflows preserve critical fields
  • Warn or error if permissions are missing when they were specified in source
  • Add tests to prevent regression

4. MEDIUM - Temporary Workaround (Priority: P2)

Until the compilation issue is fixed, consider:

  • Manually editing audit-workflows.lock.yml to add permissions
  • OR running the audit agent manually with proper authentication
  • OR using a different approach to collect workflow data

Historical Context

This is the first audit run (Run #1). The audit agent has been unable to complete its intended function due to this critical issue.

Cache Memory Updated:

  • /tmp/cache-memory/audits/2025-10-08.json - Full audit findings
  • /tmp/cache-memory/audits/index.json - Audit index
  • /tmp/cache-memory/patterns/errors.json - Error patterns database

Next Steps

  • Fix gh-aw compile to preserve permissions from source files
  • Test fix with audit-workflows.md
  • Audit all other compiled workflows for similar issues
  • Add regression tests for permission preservation
  • Re-run audit workflow after fix to verify it can collect logs
  • Update cache memory tracking with successful audit data

Success Metrics

Once fixed, the audit workflow should be able to:

  • ✅ Authenticate with GitHub API using workflow token
  • ✅ Download workflow run logs from the past 24 hours
  • ✅ Analyze logs for errors, missing tools, and patterns
  • ✅ Generate actionable reports
  • ✅ Track trends over time in cache memory

Audit Agent Status: ⚠️ Unable to perform full audit due to critical permissions issue
Next Audit: 2025-10-09 (after fix is applied)
Generated: 2025-10-08 via Run #18329959236

🤖 Generated with Claude Code by the Agentic Workflow Audit Agent

AI generated by Agentic Workflow Audit Agent

Metadata

Metadata

Assignees

No one assigned

    Labels

    agentic-workflowsauditautomationbugSomething isn't workingcriticalpermissions

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions