diff --git a/.changeset/patch-fix-detection-job-permissions.md b/.changeset/patch-fix-detection-job-permissions.md new file mode 100644 index 0000000000..5ef9953991 --- /dev/null +++ b/.changeset/patch-fix-detection-job-permissions.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Ensure the detection job requests `contents: read` whenever it injects `actions/checkout`, matching the existing agent job permissions. diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 53a0fccd83..ffda5dd375 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1099,7 +1099,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 29dd87d1d3..7223218a28 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -970,7 +970,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 96e1c159c2..030f3aa22a 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -926,7 +926,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index ca5c3227fe..ccbe05b6aa 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -882,7 +882,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index adee5838a7..5149bbfe32 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1146,7 +1146,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index f6d63af478..b76b32c901 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -933,7 +933,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 9b8af53a49..8b9942a751 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -996,7 +996,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 6cdba1cdf4..244e56fc78 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -920,7 +920,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index e888d9a3ce..69518c7c17 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -928,7 +928,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 5f669650f6..8a1fe0a8db 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -993,7 +993,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index df24a5a7d0..40749ca98e 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -986,7 +986,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index f35e41a363..f2a7176e9b 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1090,7 +1090,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 1fa4596f97..c13f502d3c 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -959,7 +959,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 65f88abca9..538f626424 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -895,7 +895,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 758a64a611..a05d581560 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -983,7 +983,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 4bcd1357d2..1fee7c9d3c 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1256,7 +1256,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index a3b2e3a3a6..1cc06a5fd2 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -997,7 +997,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 2992e9627c..582a71ff53 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -912,7 +912,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 9f5159a86e..0f7dfacc48 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -936,7 +936,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index c53f6c78ef..4d6b465c99 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1042,7 +1042,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index cbb13e646b..356fe667b5 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -949,7 +949,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 6f22f10d1b..bbdb93d77c 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -940,7 +940,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 7e5abbc439..44ef84c8a6 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1039,7 +1039,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index afe14f2903..4709407697 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -965,7 +965,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 339f8b6750..6291d78a6e 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1097,7 +1097,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index f92a565685..d38d73f7b7 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -954,7 +954,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index fbe0efd393..978af403f0 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -903,7 +903,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 95735a54f6..adc05f972b 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -906,7 +906,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index d8b0ee691c..a4ae27129e 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1136,7 +1136,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index b7c7f09d47..4b8d528214 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -961,7 +961,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index a6435fa822..ec08c4d4bb 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1076,7 +1076,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index e23169efad..5d04c376e0 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -936,7 +936,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index b918430bbf..b41b744c32 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -1054,7 +1054,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 4fffe728c0..35dc3b582e 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1003,7 +1003,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 892433d9af..6c45becd22 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -939,7 +939,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index af5b95b218..86d29fec4b 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1044,7 +1044,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 25d0fdb801..afa3cb52c5 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1066,7 +1066,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 150a97ac44..c951b8e21d 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -987,7 +987,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 8357803007..75a49c9659 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1071,7 +1071,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index b95cf4b7b3..565e7bd2d1 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1116,7 +1116,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 7fef55bf25..c1542dcb42 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1024,7 +1024,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 0aa8511978..cafd33b3b1 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1532,7 +1532,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 6d997e8d59..7f6d22b5b4 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1425,7 +1425,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 10aca4ae1b..4f878f31a5 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -980,7 +980,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 1c30a294ed..d68e115aba 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1067,7 +1067,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 9bc8110580..5a3f4c86ad 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -943,7 +943,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 104fcfafc3..ff2c0baaec 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -931,7 +931,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index d2d9d0118c..694b651eb7 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -925,7 +925,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index e266ff29d0..3196a826ea 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -936,7 +936,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index da16a8e14d..c67db3fa43 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -919,7 +919,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index b3fdaf4cc2..f3a885b5b8 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -983,7 +983,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index eaaad5b4d8..70ea73d5dd 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -903,7 +903,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index ef20042c85..1c2e8f329a 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1162,7 +1162,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index f4040435a7..5872449357 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1034,7 +1034,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index a24b13b2f1..aeabcd09f1 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -1149,7 +1149,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 00eab19445..5ff103038f 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -933,7 +933,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dependabot-project-manager.lock.yml b/.github/workflows/dependabot-project-manager.lock.yml index 1dabdc1f50..85c491941e 100644 --- a/.github/workflows/dependabot-project-manager.lock.yml +++ b/.github/workflows/dependabot-project-manager.lock.yml @@ -1197,7 +1197,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index e735da0338..1a9426511b 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -973,7 +973,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index b4aeac6f36..9dc141e398 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -894,7 +894,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index d3c42c14f6..e74725e2a4 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1075,7 +1075,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 580605b87a..42405caf1b 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -900,7 +900,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 7a81c8ace0..940f3f4f8a 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1011,7 +1011,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 8f720005ec..695b65763e 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -930,7 +930,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 5481b46a69..f00526713c 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -934,7 +934,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 57f6d2a13c..c6f5beb8ae 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -941,7 +941,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index ff832237be..64c1302033 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -992,7 +992,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 5f1c006252..e553002cff 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -956,7 +956,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index a06cd51f56..bc72633271 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -908,7 +908,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 0e6930a93b..6d5ecef643 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1027,7 +1027,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 009ece2952..41c8b96133 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1036,7 +1036,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 5d2f997e0c..7dc5812606 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -888,7 +888,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index cbce87f317..a7c995f587 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -975,7 +975,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 6e29fc92b7..fa575919d7 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -996,7 +996,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index c977df0e82..208e7e91ea 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1165,7 +1165,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 44e211a65a..381d75c1f1 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -993,7 +993,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 39303d2ad8..a2623539ca 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1002,7 +1002,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index fd33f14811..eaed836296 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1006,7 +1006,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 84458d5b59..0f3baaeead 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -996,7 +996,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index f0096c9ca3..335c6c92f3 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1010,7 +1010,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml index ef7b475fb4..03cfe5ba7d 100644 --- a/.github/workflows/issue-classifier.lock.yml +++ b/.github/workflows/issue-classifier.lock.yml @@ -835,7 +835,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 0c492e46df..97164b40ce 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -926,7 +926,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 41ea287c3d..1aeb3d33bc 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -877,7 +877,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index ac63b388d1..ea682043f6 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -946,7 +946,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 76e6d42d55..087bda51da 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -940,7 +940,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index f4d1515adc..a9afcce7c6 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -955,7 +955,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 1c2b191584..a94d0b3430 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1285,7 +1285,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index f463f42891..4199f90cb5 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -940,7 +940,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 19a8695c53..6769684339 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -863,7 +863,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 2ecc81fafc..d082d0e1d3 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -967,7 +967,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index afbbf2c128..bbf2b0f03b 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1019,7 +1019,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 4d70f5f2ea..1234da984f 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -998,7 +998,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 6bc95922fc..092713452f 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1554,7 +1554,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 455f405608..ea5bda727f 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1055,7 +1055,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index fd4a1e783f..93b22bd7e5 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1075,7 +1075,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index dca6f91040..15b7aec906 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1011,7 +1011,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 5d958e225e..98bdde8709 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1085,7 +1085,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 01f44ad9a7..8e2c5fb782 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1039,7 +1039,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index d2094d1b27..958b4bc31b 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1110,7 +1110,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index a84039ea97..39f5b5d563 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1007,7 +1007,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index fd0577815e..4701b51e9d 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -930,7 +930,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 8519bd6269..2132ad0d3d 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -878,7 +878,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 04a15df9f5..d719c77123 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -928,7 +928,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 70fc0d23eb..da706402d3 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -906,7 +906,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 09c8f9a125..e4b8bcf0ff 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1045,7 +1045,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index d4add74bed..9d762bc196 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -958,7 +958,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index be0d09e5d2..0510481447 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1099,7 +1099,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index a0caa46ba8..1962b86304 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -956,7 +956,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml index 63c7f129aa..cf548406c4 100644 --- a/.github/workflows/security-guard.lock.yml +++ b/.github/workflows/security-guard.lock.yml @@ -867,7 +867,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index db3ad7a218..639e3bf25b 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1071,7 +1071,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 3c3b2a6a05..e52ce39441 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1021,7 +1021,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 58ec9380b6..5934846b8c 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -995,7 +995,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 6ed3a44aa2..ccd5c3979f 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1002,7 +1002,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index da205be8a3..2f111ad750 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1813,7 +1813,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index c5c47de6b6..b227dd2e88 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1283,7 +1283,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 000454e8b9..3d50ff4074 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1694,7 +1694,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index 058d7779da..2a28792f5f 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -1548,7 +1548,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index fb502dd5b1..26b2f7b93b 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1332,7 +1332,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 412d0bd5e6..292ec972b7 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -882,7 +882,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index d2601f56ab..289fd6d0ad 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1036,7 +1036,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index b6b8f3d074..495c184ddc 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1028,7 +1028,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 11be97e88c..2b564ac9e7 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -985,7 +985,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index bf2d3d866d..5f692c8b1d 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -945,7 +945,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index c45bd70aef..5093b004c4 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -935,7 +935,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 9fc0f174f7..5a9f8616f2 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1041,7 +1041,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index f4c055772e..9791136440 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -882,7 +882,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index efae253e5b..096f664d70 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -970,7 +970,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index 2ee00c2a3c..5effded3da 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -832,7 +832,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 66eb91592a..b467cf9162 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -1063,7 +1063,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index a39d79d7ae..d40c5abd21 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1024,7 +1024,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 065797f481..4d2e6c702f 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -963,7 +963,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index e3be25e2f4..a0db3af568 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -933,7 +933,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 18f4fc9525..442e3bac3f 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1182,7 +1182,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 05babd3597..7e46908e5e 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -930,7 +930,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index e28bfc8b36..35203e26a9 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -962,7 +962,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 0f0d7c66a6..1b7ecc4c1f 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -996,7 +996,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index d68b976972..983115db34 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1069,7 +1069,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index ee47625a96..de42e08ae6 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -969,7 +969,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 465390912e..346c7ec2bf 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -972,7 +972,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/pkg/workflow/detection_permissions_test.go b/pkg/workflow/detection_permissions_test.go new file mode 100644 index 0000000000..b031509c87 --- /dev/null +++ b/pkg/workflow/detection_permissions_test.go @@ -0,0 +1,118 @@ +//go:build !integration + +package workflow + +import ( + "os" + "path/filepath" + "testing" + + "github.com/github/gh-aw/pkg/stringutil" + "github.com/github/gh-aw/pkg/testutil" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +// TestDetectionJobPermissionsWithCheckout verifies that detection job has +// contents: read permission when it includes a checkout step (dev/script mode) +func TestDetectionJobPermissionsWithCheckout(t *testing.T) { + tmpDir := testutil.TempDir(t, "test-*") + workflowPath := filepath.Join(tmpDir, "test-workflow.md") + + frontmatter := `--- +on: workflow_dispatch +permissions: + contents: read +engine: copilot +safe-outputs: + create-issue: +--- + +# Test + +Create an issue. +` + + err := os.WriteFile(workflowPath, []byte(frontmatter), 0644) + require.NoError(t, err, "Failed to write workflow file") + + compiler := NewCompiler() + // Set to dev mode to trigger checkout (dev is also the default) + compiler.actionMode = ActionModeDev + + err = compiler.CompileWorkflow(workflowPath) + require.NoError(t, err, "Failed to compile workflow") + + // Read the compiled YAML + lockPath := stringutil.MarkdownToLockFile(workflowPath) + yamlBytes, err := os.ReadFile(lockPath) + require.NoError(t, err, "Failed to read compiled YAML") + yaml := string(yamlBytes) + + // Check that detection job exists + assert.Contains(t, yaml, "detection:", "Detection job not found in compiled YAML") + + // Check that detection job has checkout step + assert.Contains(t, yaml, "Checkout actions folder", "Detection job should have checkout step in dev mode") + + // Extract detection job section using existing helper + detectionSection := extractJobSection(yaml, "detection") + require.NotEmpty(t, detectionSection, "Detection job section should not be empty") + + // Verify that detection job has contents: read permission + assert.Contains(t, detectionSection, "permissions:", "Detection job should have permissions field") + assert.Contains(t, detectionSection, "contents: read", "Detection job should have contents: read permission when checkout is needed") + + // Verify it's NOT using empty permissions + assert.NotContains(t, detectionSection, "permissions: {}", "Detection job should not have empty permissions when checkout is needed") +} + +// TestDetectionJobPermissionsWithoutCheckout verifies that detection job has +// empty permissions when no checkout is needed (release mode) +func TestDetectionJobPermissionsWithoutCheckout(t *testing.T) { + tmpDir := testutil.TempDir(t, "test-*") + workflowPath := filepath.Join(tmpDir, "test-workflow.md") + + frontmatter := `--- +on: workflow_dispatch +permissions: + contents: read +engine: copilot +safe-outputs: + create-issue: +--- + +# Test + +Create an issue. +` + + err := os.WriteFile(workflowPath, []byte(frontmatter), 0644) + require.NoError(t, err, "Failed to write workflow file") + + compiler := NewCompiler() + // Set to release mode - no checkout needed + compiler.actionMode = ActionModeRelease + + err = compiler.CompileWorkflow(workflowPath) + require.NoError(t, err, "Failed to compile workflow") + + // Read the compiled YAML + lockPath := stringutil.MarkdownToLockFile(workflowPath) + yamlBytes, err := os.ReadFile(lockPath) + require.NoError(t, err, "Failed to read compiled YAML") + yaml := string(yamlBytes) + + // Check that detection job exists + assert.Contains(t, yaml, "detection:", "Detection job not found in compiled YAML") + + // Extract detection job section using existing helper + detectionSection := extractJobSection(yaml, "detection") + require.NotEmpty(t, detectionSection, "Detection job section should not be empty") + + // In release mode, checkout should not be present in detection job + assert.NotContains(t, detectionSection, "Checkout actions folder", "Detection job should not have checkout step in release mode") + + // Empty permissions are acceptable when no checkout is needed + assert.Contains(t, detectionSection, "permissions: {}", "Detection job can have empty permissions in release mode") +} diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index 2c68c47290..e248b7f7bc 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -106,6 +106,20 @@ func (c *Compiler) buildThreatDetectionJob(data *WorkflowData, mainJobName strin steps := c.buildThreatDetectionSteps(data, mainJobName) threatLog.Printf("Generated %d steps for threat detection job", len(steps)) + // Determine if checkout is needed (dev or script mode with actions checkout) + needsContentsRead := (c.actionMode.IsDev() || c.actionMode.IsScript()) && len(c.generateCheckoutActionsFolder(data)) > 0 + if needsContentsRead { + threatLog.Print("Detection job needs contents:read permission for checkout") + } + + // Set permissions based on whether checkout is needed + var permissions string + if needsContentsRead { + permissions = NewPermissionsContentsRead().RenderToYAML() + } else { + permissions = NewPermissionsEmpty().RenderToYAML() + } + // Generate agent concurrency configuration (same as main agent job) agentConcurrency := GenerateJobConcurrencyConfig(data) @@ -127,7 +141,7 @@ func (c *Compiler) buildThreatDetectionJob(data *WorkflowData, mainJobName strin Name: string(constants.DetectionJobName), If: condition.Render(), RunsOn: "runs-on: ubuntu-latest", - Permissions: NewPermissionsEmpty().RenderToYAML(), + Permissions: permissions, Concurrency: c.indentYAMLLines(agentConcurrency, " "), TimeoutMinutes: 10, Steps: steps, diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index 2937fc0991..f6dfb05f93 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -225,8 +225,14 @@ func TestBuildThreatDetectionJob(t *testing.T) { if job.RunsOn != "runs-on: ubuntu-latest" { t.Errorf("Expected ubuntu-latest runner, got %q", job.RunsOn) } - if job.Permissions != "permissions: {}" { - t.Errorf("Expected 'permissions: {}', got %q", job.Permissions) + // In dev mode (default), detection job should have contents: read permission for checkout + // In release mode, it should have empty permissions + expectedPerms := "permissions:\n contents: read" + if compiler.actionMode.IsRelease() { + expectedPerms = "permissions: {}" + } + if job.Permissions != expectedPerms { + t.Errorf("Expected %q, got %q", expectedPerms, job.Permissions) } if len(job.Needs) != 1 || job.Needs[0] != tt.mainJobName { t.Errorf("Expected job to depend on %q, got %v", tt.mainJobName, job.Needs)