Conclusion job should not request `discussions: write` when workflow has no discussion-related safe-outputs

[benvillalobos]

🤖 Filed by AI

Problem

The compiled .lock.yml conclusion job always requests discussions: write permission — both in the job's permissions: block and via permission-discussions: write on the GitHub App token step — even when the workflow has no discussion-related safe-outputs configured (e.g., no create-discussion, close-discussion, update-discussion).

This causes a 422 error when the GitHub App installation doesn't have the Discussions permission granted:

RequestError [HttpError]: The permissions requested are not granted to this installation.

Additionally, permission-discussions is flagged as an unexpected input by actions/create-github-app-token@v2.2.1:

##[warning]Unexpected input(s) 'permission-discussions', valid inputs are [...]

Reproduction

1. Create a workflow with only issue/label-related safe-outputs (no discussions):

---
on:
  workflow_dispatch:
permissions:
  contents: read
  issues: read
tools:
  github:
    toolsets: [issues]
    read-only: true
    app:
      app-id: ${{ secrets.APP_ID }}
      private-key: ${{ secrets.APP_PRIVATE_KEY }}
      owner: 'myorg'
      repositories: ['myrepo']
safe-outputs:
  app:
    app-id: ${{ secrets.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}
    owner: 'myorg'
    repositories: ['myrepo']
  add-labels:
    max: 5
  remove-labels:
    allowed: ["triage-needed"]
    max: 2
  assign-to-user:
    max: 1
---
# My Workflow
Do something with issues only.

2. Compile: gh aw compile
3. Observe the generated conclusion job in .lock.yml:

  conclusion:
    permissions:
      contents: read
      discussions: write    # <-- not needed
      issues: write
      pull-requests: write
    steps:
      - name: Generate GitHub App token
        uses: actions/create-github-app-token@...
        with:
          permission-discussions: write   # <-- not needed, also not a valid input

4. Run the workflow — the conclusion job fails at the token step if the GitHub App doesn't have Discussions permission.

Expected Behavior

The conclusion job should only request permissions that are actually needed based on the workflow's configured safe-outputs. If no discussion-related safe-outputs are configured, discussions: write should not be included in either the job permissions or the app token request.

Actual Behavior

discussions: write is unconditionally added to every conclusion job regardless of whether any discussion-related safe-outputs are configured.

Environment

• gh-aw version: v0.43.9 and v0.43.21 (both affected)
• actions/create-github-app-token: v2.2.1

Additional Context

• Failed run: https://github.com/microsoft/vscode-engineering/actions/runs/22003392790/job/63581823271
• The same principle of least privilege should ideally apply to pull-requests: write — if the workflow only uses issue-related safe-outputs, pull-requests: write shouldn't be requested either.

[benvillalobos]

Additional evidence confirming discussions: write is the specific cause:

The safe_outputs job token step requests:

permission-contents: read
permission-issues: write
permission-pull-requests: write

This succeeds — labels are applied, users are assigned.

The conclusion job token step requests the same plus one extra:

permission-contents: read
permission-discussions: write    # ← only difference
permission-issues: write
permission-pull-requests: write

This fails with 422.

After manually removing only permission-discussions: write from the compiled lock file (the only diff), the conclusion job succeeds: https://github.com/microsoft/vscode-engineering/actions/runs/22004142866

[benvillalobos]

Reopening the fix in #15518 didn't fully resolve this.