Conversation
- Modify shouldAddCheckoutStep to not auto-add contents:read when permissions are explicitly specified without it - Modify buildMainJob to only auto-add contents:read for empty permissions or when contents is explicitly set to none - Modify generateCheckoutActionsFolder to skip checkout when permissions don't include contents - Fixes TestCheckoutOptimization and TestShouldAddCheckoutStep tests Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot fix the tests. contents: read is required always in the action job to checkout .github and .actions folders. |
- Update TestLocalActionPermissions to expect no checkout when explicit permissions don't include contents
- Fix test assertions to handle jobs without permissions blocks
- Handle explicit empty permissions {} same as no permissions specified
- All related tests now pass
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
- Verified build succeeds - Verified code formatting passes - Verified linting passes - All related tests passing: TestCheckoutOptimization, TestShouldAddCheckoutStep, TestLocalActionPermissions, TestExplicitEmptyPermissionsInDevMode - All workflow integration tests passing Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
@copilot fix the tests. contents: read is required always in the action job to checkout .github and .actions folders. |
|
@copilot the agent job should ALWAYS have contents: read permission. Remove logic. Update tests |
Reverted previous changes that made contents:read optional. The agent job ALWAYS needs contents:read permission to checkout .github and .actions folders for: - Runtime imports (.github/workflows/*.md) - Custom agents (.agents/) - Local actions (actions/ folder in dev mode) Updated test expectations: - TestCheckoutOptimization: Now expects checkout even without explicit contents permission - TestShouldAddCheckoutStep: Now expects checkout to be added for .github access The original compiler logic was correct - it always adds contents:read when using local actions or runtime imports. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in ecc632d. Reverted the changes that made
Fixed in ecc632d. Reverted the changes that made |
Removed all conditional logic for adding contents:read permission. The agent job now ALWAYS gets contents:read permission regardless of: - Action mode (dev/script/release) - Whether local actions are used - User-specified permissions This ensures consistent access to .github and .actions folders for: - Runtime imports - Custom agents - Workflow files Updated test expectations to reflect unconditional contents:read. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Done in f669076. Removed all conditional logic - the agent job now ALWAYS gets |
…-c7e0-44c0-b8cc-cc397ff33058
pelikhan
deleted the
copilot/fix-github-actions-workflow-da4f02cc-c7e0-44c0-b8cc-cc397ff33058
branch
There was a problem hiding this comment.
Pull request overview
This pull request simplifies the permissions handling logic for agent jobs by unconditionally adding contents: read permission. Previously, the compiler conditionally added this permission based on action mode and whether local actions were present. The new approach recognizes that the agent job always requires contents: read to access .github and .actions folders, regardless of the deployment mode.
Changes:
- Removed conditional permission logic that checked action mode or local actions presence
- Updated agent job to always receive
contents: readpermission - Simplified checkout step logic to always add checkout (since
contents: readis guaranteed)
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/compiler_activation_jobs.go | Simplified permission addition to unconditionally grant contents: read to agent job |
| pkg/workflow/compiler_jobs.go | Simplified shouldAddCheckoutStep to always return true since agent always has contents: read |
| pkg/workflow/permissions_explicit_empty_test.go | Updated test expectations to verify contents: read is added even in release mode with empty permissions |
| pkg/workflow/checkout_optimization_test.go | Updated test expectations to reflect that checkout is always added |
| specs/artifacts.md | Auto-generated documentation file |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The failing integration tests had incorrect expectations about when
contents: readpermission should be added. The agent job always requirescontents: readto checkout.githuband.actionsfolders.Changes
compiler_activation_jobs.goto unconditionally addcontents: readto agent job permissions (no longer checks action mode or local actions)shouldAddCheckoutStepincompiler_jobs.goto always add checkout (removed complex conditional checks)contents: readin all modes including release modeWhy contents:read is Always Required
The agent job needs
contents: readpermission to access:.github/workflows/*.mdfiles for runtime-import.agents/folder for custom agentsactions/folder for local actions in dev modeBy removing conditional logic, we ensure:
Behavior
The agent job now unconditionally gets
contents: readpermission in all modes, regardless of user-specified permissions or whether local actions are used.Testing
Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.