Skip to content

Comments

Fix add-comment and hide-comment to conditionally request discussions:write permission#16501

Closed
Copilot wants to merge 11 commits intomainfrom
copilot/fix-permission-issue-discussions
Closed

Fix add-comment and hide-comment to conditionally request discussions:write permission#16501
Copilot wants to merge 11 commits intomainfrom
copilot/fix-permission-issue-discussions

Conversation

Copy link
Contributor

Copilot AI commented Feb 18, 2026
edited
Loading

Both add-comment and hide-comment safe outputs no longer unconditionally request discussions: write permission. Users must now explicitly set discussion: true to enable discussion support and request the discussions permission.

Changes

  • pkg/workflow/safe_outputs_permissions.go:
    • For add-comment: Only include discussions: write permission when discussion: true is explicitly set
    • For hide-comment: Only include discussions: write permission when discussion: true is explicitly set
  • pkg/workflow/add_comment.go:
    • Update standalone handler to conditionally set permissions based on discussion field
    • Update field documentation to reflect opt-in behavior
    • Remove validation that required discussion: true if present
  • pkg/workflow/hide_comment.go:
    • Add Discussion *bool field to HideCommentConfig struct
    • Migrate parser to use unmarshalConfig for automatic field parsing (consistent with add-comment)
    • Update field documentation to reflect opt-in behavior
  • pkg/parser/schemas/main_workflow_schema.json:
    • Remove const: true constraint for add-comment discussion field
    • Add discussion field to hide-comment schema with default: false
    • Update descriptions to reflect opt-in behavior
  • Tests: Add comprehensive test coverage for all three scenarios (unset, true, false) for both add-comment and hide-comment, plus parsing tests to verify all fields are correctly handled

Permission Impact

After (add-comment or hide-comment without discussion field - default behavior):

permissions:
  contents: read
  issues: write
  pull-requests: write  # ✅ No discussions permission by default

After (add-comment or hide-comment with discussion: true - opt-in):

permissions:
  contents: read
  issues: write
  pull-requests: write
  discussions: write  # ✅ Included when explicitly enabled

After (add-comment or hide-comment with discussion: false - explicit opt-out):

permissions:
  contents: read
  issues: write
  pull-requests: write  # ✅ No discussions permission

The discussions: write permission is only requested when:

  • discussion: true is explicitly set in the add-comment or hide-comment configuration

Testing

  • ✅ All permission tests pass with coverage for unset, true, and false scenarios
  • ✅ New comprehensive parsing tests verify all fields are correctly parsed for both add-comment and hide-comment
  • ✅ Verified fields: max, target, target-repo, allowed-repos, discussion, hide-older-comments, allowed-reasons
  • ✅ Confirmed migration to unmarshalConfig preserves all existing functionality
  • ✅ All 155 workflows compile successfully
  • ✅ Manual verification of compiled workflows confirms correct permission grants

Migration Note

Workflows using add-comment or hide-comment will not include discussions: write permission by default. To enable discussion comment support, add discussion: true to the add-comment or hide-comment configuration.

Original prompt

This section details on the original issue you should resolve

<issue_title>add-comment and hide-comment safe outputs unconditionally request discussions:write permission</issue_title>
<issue_description>🤖 AI Assisted Bug Report

Problem

PR #15518 (fixing #15516) introduced computePermissionsForSafeOutputs to compute minimal permissions for the safe_outputs and conclusion jobs. However, the add-comment and hide-comment entries still use NewPermissionsContentsReadIssuesWritePRWriteDiscussionsWrite(), which unconditionally includes discussions: write — even when no discussion-related safe outputs (create-discussion, close-discussion, update-discussion) are configured.

This causes the same 422 error that #15516 reported:

RequestError [HttpError]: The permissions requested are not granted to this installation.

…when the GitHub App installation doesn't have the Discussions permission granted.

Root Cause

In pkg/workflow/safe_outputs_permissions.go:

if safeOutputs.AddComments != nil {
    permissions.Merge(NewPermissionsContentsReadIssuesWritePRWriteDiscussionsWrite())
    //                                                        ^^^^^^^^^^^^^^^^
    //                                              discussions: write always included
}
if safeOutputs.HideComment != nil {
    permissions.Merge(NewPermissionsContentsReadIssuesWritePRWriteDiscussionsWrite())
    //                                              same problem
}

The rationale is that add_comment.cjs can comment on discussions, not just issues/PRs. But if no discussion-related safe-output is configured, the agent will never target a discussion, so discussions: write is unnecessary.

The same pattern also exists in pkg/workflow/add_comment.go L124 (standalone handler permissions).

Impact

Any workflow using add-comment or hide-comment with a GitHub App that doesn't have Discussions permission will fail at the token generation step in the safe_outputs and conclusion jobs. The agent job completes successfully, but its output (comments, labels, assignments) is never applied.

Affected compiled output (lock.yml):

  • Job-level permissions: block includes discussions: write
  • create-github-app-token step includes permission-discussions: write

Workaround: Manually remove discussions: write and permission-discussions: write from the compiled lock file after every gh aw compile.

Suggested Fix

In safe_outputs_permissions.go, use NewPermissionsContentsReadIssuesWritePRWrite() (already exists at permissions_factory.go L83) instead:

if safeOutputs.AddComments != nil {
    permissions.Merge(NewPermissionsContentsReadIssuesWritePRWrite())
}
if safeOutputs.HideComment != nil {
    permissions.Merge(NewPermissionsContentsReadIssuesWritePRWrite())
}

discussions: write is already independently added when discussion-related safe outputs are configured:

if safeOutputs.CreateDiscussions != nil {
    permissions.Merge(NewPermissionsContentsReadIssuesWriteDiscussionsWrite())
}
if safeOutputs.CloseDiscussions != nil {
    permissions.Merge(NewPermissionsContentsReadDiscussionsWrite())
}
if safeOutputs.UpdateDiscussions != nil {
    permissions.Merge(NewPermissionsContentsReadDiscussionsWrite())
}

So workflows that actually use discussions will still get the permission via those entries.

Same fix should be applied to add_comment.go L124 for the standalone handler path.

Reproduction

  1. Create a workflow with add-comment but no discussion safe-outputs:
safe-outputs:
  app:
    app-id: ${{ secrets.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}
    owner: 'myorg'
    repositories: ['myrepo']
  add-comment:
    target: "*"
    max: 1
  1. Use a GitHub App that does NOT have the Discussions permission
  2. gh aw compile
  3. Observe discussions: write in the lock file's safe_outputs and conclusion jobs
  4. Run the workflow — token generation fails with 422

Environment

Related

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 3 commits February 18, 2026 01:51
@pelikhan
Fix add-comment and hide-comment to not require discussions:write per…
e13d010 
…mission unconditionally

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Update tests to reflect removed discussions permission requirement
56354f1 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Recompile workflows to apply permission fixes
1ba5f92 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix permissions request for add-comment and hide-comment Fix add-comment and hide-comment requesting discussions:write unconditionally Feb 18, 2026
Copilot AI requested a review from pelikhan February 18, 2026 02:05
@pelikhan
Copy link
Contributor

pelikhan commented Feb 18, 2026

@copilot the add-comment safe output needs to have the discussions: true to enable allowing to write to discussion. If this field is not set, the add-comment cannot add comments to issues.

@github-actions github-actions bot mentioned this pull request Feb 18, 2026
Closed
@pelikhan
Fix: Only request discussions permission when add-comment has discuss…
ef1b6a5 
…ion: true

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 18, 2026
edited
Loading

@copilot the add-comment safe output needs to have the discussions: true to enable allowing to write to discussion. If this field is not set, the add-comment cannot add comments to issues.

Fixed in ef1b6a5. The add-comment safe output now only requests discussions: write permission when the discussion: true field is set. Without this field, it only requests contents: read, issues: write, and pull-requests: write permissions.

Similarly, hide-comment only requests discussions: write if discussion-related safe outputs (create-discussion, close-discussion, update-discussion, or add-comment with discussion: true) are configured.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw -j ACCEPT ache/go/1.25.0/x--auto -o /tmp/go-build373--detach -trimpath sh -p github.com/charmrev-parse -lang=go1.23 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw cussions x_amd64/compile git rev-�� --show-toplevel x_amd64/compile ode v2.13.0/internalgit (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha om/sahilm/fuzzy@v0.1.1/fuzzy.go .cfg 64/pkg/tool/linux_amd64/vet http.https://gitgit (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/gh higher.&#34;; \ echgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/gh (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git g_.a (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha L8uce4yl- .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha -_MxMFIZC .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha -unreachable=false /tmp/go-build3734590255/b065/vet.cfg 4590255/b307/vet.cfg -c=4 -nolocalimports -importcfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build3734590255/b183/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha graphql.go query.go x_amd64/compile ader (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha g_.a origin .cfg (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha hNHO/uakL8yedfOS5zdEvhNHO /tmp/go-build3734590255/b081/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git bin&#39; &amp;&amp; echo &#34;$P/usr/bin/gh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha xterm-color 64/pkg/tool/linux_amd64/vet /usr/bin/bash ission-issue-disgit .cfg 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows bash -c source &#39;/home/REDACTED/work/gh-aw/gh-aw/actions/setup/sh/sanitize_path.sh&#39; &#39;/usr/bin:/usr/local/biinfocmp 64/pkg/tool/linux_amd64/vet 0/x64/bin/node get .cfg 64/pkg/tool/linu/repos/actions/ai-inference/git/ref/tags/v2 git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha /repos/actions/cremote.origin.url --jq /usr/bin/sed -_MxMFIZC .cfg 64/pkg/tool/linugraphql sed s/::�� (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha xterm-color 64/pkg/tool/linux_amd64/vet /usr/bin/bash ission-issue-dis/usr/bin/gh .cfg 64/pkg/tool/linugraphql bash -c source &#39;/home/ru-f 64/pkg/tool/linuowner=github r: $owner, name:-f get .cfg 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows /usr/lib/git-correv-parse (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha g_.a (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha KN_vk9KmK .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -unreachable=false /tmp/go-build3734590255/b107/vet.cfg 4590255/b309/vet.cfg -c=4 -nolocalimports -importcfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build3734590255/b185/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } kfMOI5WtJ .cfg 64/pkg/tool/linugraphql git rev-�� --show-toplevel 64/pkg/tool/linuowner=github 0/x64/bin/node om/catppuccin/godocker .cfg 64/pkg/tool/linumcp/arxiv-mcp-server git (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha 28hFrOFzN .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet sup (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git /sig.s (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/compile $name) { hasDiscussionsEnabled } } (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha f12kmzSI5 .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git ify@v1.11.1/requ/usr/bin/gh ify@v1.11.1/requapi 64/pkg/tool/linugraphql git rev-�� --show-toplevel 64/pkg/tool/linuowner=github /usr/bin/git g_.a (http block)
  • https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/bash NOtlkKxD1 .cfg 64/pkg/tool/linugraphql bash -c source &#39;/home/ru-f 64/pkg/tool/linuowner=github r: $owner, name:-f om/charmbraceletgit .cfg 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/bash CmY9LQzlV .cfg 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows bash -c export GOROOT=&#34;/tmp/TestGetNpmBinPathSetup_GorootOrdering788665560/001/go/1.25.0/x64&#34;; export PA/usr/bin/gh 64/pkg/tool/linux_amd64/vet 0/x64/bin/node om/clipperhouse//usr/bin/gh .cfg 64/pkg/tool/linugraphql git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } clmuVgtKF .cfg 64/pkg/tool/linugraphql git rev-�� --show-toplevel 64/pkg/tool/linuowner=github 0/x64/bin/node om/charmbracelet/usr/bin/unpigz .cfg 64/pkg/tool/linu-c head (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/sed iAGGLxn-H (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } fkTzfGqWA (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git mh5S5Ts96 .cfg 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� cli/install.sh...&#34; 64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } om/cli/go-gh/v2@/usr/bin/unpigz .cfg 64/pkg/tool/linu-c grep (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } lfVWymTYL (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git uPwTUe1eD .cfg 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } om/charmbracelet/usr/bin/unpigz .cfg 64/pkg/tool/linu-c /usr/lib/git-core/git (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/tr FzaH8jWd8 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/gh goHFx0a72 .cfg 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq r: $owner, name: $name) { hasDiscussionsEnabled } } om/sahilm/fuzzy@/usr/bin/unpigz .cfg 64/pkg/tool/linu-c git (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha /repos/actions/github-script/git/ref/tags/v8 --jq /usr/bin/sed KN_vk9KmK .cfg 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows sed s/::�� (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/tr DN5tio5Wb .cfg 64/pkg/tool/linugraphql tr \n : 64/pkg/tool/linuowner=github r: $owner, name:-f om/charmbraceletgit .cfg 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 --jq .object.sha --show-toplevel x_amd64/vet inPathSetup_GorootOrdering788665560/001/go/1.25.0/x64/bin/go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git apic.go decode.go x_amd64/vet git s --show-toplevel x_amd64/vet /usr/bin/git g_.a (http block)
  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login --show-toplevel (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title Fix add-comment and hide-comment requesting discussions:write unconditionally Fix add-comment and hide-comment requesting discussions:write conditionally Feb 18, 2026
@pelikhan
Copy link
Contributor

pelikhan commented Feb 18, 2026

@copilot update the default value of discussions to be true and discussions: false to disable them.

@pelikhan
Change discussion field default to true, allow false to opt-out
a2d255f 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 18, 2026
edited
Loading

@copilot update the default value of discussions to be true and discussions: false to disable them.

Updated in a2d255f. The discussion field now defaults to true, enabling discussion support by default for add-comment. Users can set discussion: false to opt-out and exclude the discussions: write permission.

Behavior:

  • No discussion field: discussions: write included (default)
  • discussion: true: discussions: write included (explicit)
  • discussion: false: discussions: write excluded (opt-out)

29 workflows were recompiled and now include discussions: write permission by default.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw or/color.go x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git g_.a (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw /x/ansi@v0.11.6/-c x_amd64/vet ; \ fi rev-�� --show-toplevel x_amd64/vet /usr/bin/git roup.go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha se 7091519/b023/vet.cfg .cfg (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha --show-toplevel 87931720e2f7e5ee0a27afd8 /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha --show-toplevel 87931720e2f7e5ee0a27afd8..HEAD /usr/bin/git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/gh higher.&#34;; \ echgit .cfg 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows gh api /ref/tags/v8 --jq /usr/bin/bash om/charmbraceletgit (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha g_.a (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha om/charmbracelet/lipgloss@v1.1.1-0.2025031913395-errorsas .cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha om/charmbracelet/bubbles@v1.0.0/textinput/textin-p (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /home/REDACTED/work/_temp/ghcca-node/node/bin/bash (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha se 7091519/b215/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -2.15.0.1-py3.12.egg -trimpath /usr/sbin/bash -p main -lang=go1.25 bash --no�� --noprofile -dwarf=false /usr/local/bin/systemd-run go1.25.0 -c=4 -nolocalimports systemd-run (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git zEVTr_mSk (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha cp .github/aw/actions-lock.json pkg/workflow/data/action_pins.json; \ echo &#34;��� Action pins syn/usr/bin/gh ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet 0/x64/bin/node se 7091519/b014/vet-C de/node/bin/bash/home/REDACTED/work/gh-aw/gh-aw/.github/workflows wc -l (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/tr (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha om/charmbracelet/bubbles@v1.0.0/spinner/spinner.-errorsas (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha om/charmbracelet/bubbles@v1.0.0/list/defaultitem-s om/charmbracelet/bubbles@v1.0.0/list/keys.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /home/REDACTED/.local/bin/bash (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha --show-toplevel x_amd64/link /usr/bin/git 7091519/b126/_pkgit .cfg 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile 0/x64/bin/node se 7091519/b010/vet-d ache/go/1.25.0/x-c /bin/sh (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha om/charmbracelet/bubbles@v1.0.0/help/help.go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel -pack /usr/bin/git TH&#34; (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git -graphql@v0.0.4/bash (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha edcfg (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git H&#34; (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git -graphql@v0.0.4/bash (http block)
  • https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/gh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet e_modules/esbuild/node_modules/.bin/sh 7091519/b163/_pkgit (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } cli/install.sh../usr/bin/gh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet x_amd64/compile 7091519/b125/_pkgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/cgo r: $owner, name: $name) { hasDiscussionsEnabled } } 7091519/b129/_pkgit (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 7091519/b155/_pk/usr/bin/gh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git 7091519/b139/_pk/usr/bin/gh .cfg ache/go/1.25.0/xgraphql git rev-�� --show-toplevel ache/go/1.25.0/xowner=github 0/x64/bin/node se 7091519/b039/vetimage ache/go/1.25.0/xinspect sed (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel x_amd64/compile r: $owner, name: $name) { hasDiscussionsEnabled } } om/charmbraceletgit om/charmbracelet-C ache/go/1.25.0/x/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet 0/x64/bin/node se 7091519/b060/vetpull .cfg git (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git cp .github/aw/ac/usr/bin/gh (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } 7091519/b152/_pk/usr/bin/gh (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 --jq .object.sha --show-toplevel x_amd64/vet inPathSetup_GorootOrdering1078043728/001/go/1.25.0/x64/bin/go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile $name) { hasDiscussionsEnabled } } g_.a (http block)
  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login color.go context.go x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login --show-toplevel x_amd64/vet /usr/bin/git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title Fix add-comment and hide-comment requesting discussions:write conditionally Change add-comment discussion field to default to true, allow false to opt-out Feb 18, 2026
@pelikhan
Copy link
Contributor

pelikhan commented Feb 18, 2026

@copilot also handle hide_comment the same way

@pelikhan
Add discussion field to hide-comment with default true
d06ddbe 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 18, 2026
edited
Loading

@copilot also handle hide_comment the same way

Updated in d06ddbe. The hide-comment safe output now has the same behavior as add-comment:

Behavior:

  • No discussion field: discussions: write included (default)
  • discussion: true: discussions: write included (explicit)
  • discussion: false: discussions: write excluded (opt-out)

The parser was also simplified to use unmarshalConfig for automatic field parsing, consistent with add-comment.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw egraph/conc/poolmaintenance (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw tty@v0.1.4/print--norc x_amd64/vet ache/node/24.13.0/x64/bin/npm rev-�� nly x_amd64/vet modules/@npmcli/run-script/lib/node-gyp-bin/sh g_.a (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha g_.a --local ndor/bin/bash credential.helpegit flow (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha --show-toplevel ff70405d5ef4dac0c84eb68c..HEAD /usr/bin/git higher.&#34;; \ echgit .cfg 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /tmp/TestGetNpmBinPathSetup_GorootOrdering1890195230/001/go/1.25.0/x64/bin/go om/charmbraceletgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha ff70405d5ef4dac0c84eb68c..HEAD 64/pkg/tool/linux_amd64/vet /usr/bin/git 5oiNtjeUW .cfg 64/pkg/tool/linugraphql git rev-�� --show-toplevel 64/pkg/tool/linuowner=github /usr/bin/find om/charmbraceletgit (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git x55To0DC_ (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha ox/secretbox.go (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha rg/x/text@v0.34.0/internal/number/common.go .cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha to pkg/workflow/data/action_pins.json...&#34; om/goccy/go-yaml@v1.19.2/decode.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha -bool -buildtags /bin/sh -errorsas -ifaceassert -nilfunc /bin/sh -c if [ -f .github/aw/actions-lock.json ]; then \ cp .github/aw/actions-lock.json pkg/workflow/datgit -tests /usr/bin/bash (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha se 0126722/b201/vet.cfg ndor/bin/bash (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -unreachable=false /tmp/go-build2550126722/b332/vet.cfg /usr/bin/git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git Fx_T-0oDz .cfg 64/pkg/tool/linugraphql git rev-�� --show-toplevel 64/pkg/tool/linuowner=github /usr/bin/git rg/x/text@v0.34./usr/bin/unpigz .cfg kflow.test git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git om/charmbracelet/usr/bin/gh om/charmbraceletapi 64/pkg/tool/linugraphql git rev-�� --show-toplevel 64/pkg/tool/linuowner=github 0/x64/bin/node a --local 0/x64/bin/bash wc (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git til.go (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel c84eb68c..HEAD /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha --show-toplevel x_amd64/asm /usr/bin/git ileutil.go om/charmbracelet-C 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile r: $owner, name: $name) { hasDiscussionsEnabled } } g_.a --local .cfg grep (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha om/charmbracelet/lipgloss@v1.1.1-0.2025031913395-errorsas om/charmbracelet/lipgloss@v1.1.1-0.2025031913395-ifaceassert ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha om/santhosh-tekuri/jsonschema/v6@v6.0.2/kind/kind.go .cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -unreachable=false /tmp/go-build2550126722/b230/vet.cfg /bin/sh (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet x_amd64/compile 0126722/b127/_pkgit (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha om/pmezard/go-difflib@v1.0.0/difflib/difflib.go .cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile sup g_.a (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha nner/work/gh-aw/gh-aw/actions/setup/sh/sanitize_path.sh&#39; &#39;/usr/bin:/usr/local/bin&#39; &amp;&amp; echo &#34;$PATinfocmp 64/pkg/tool/linux_amd64/compile e/git g_.a (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git PATH&#34;; [ -n &#34;$GOnode (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet $name) { hasDiscussionsEnabled } } tty@v0.1.4/interbash (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha rg/x/text@v0.34.0/message/catalog/catalog.go rg/x/text@v0.34.0/message/catalog/dict.go .cfg (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git PATH&#34; (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git p/TestGetNpmBinPnode (http block)
  • https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 1.0.10/bool.go 1.0.10/bool_funcapi 64/pkg/tool/linugraphql git rev-�� --show-toplevel 64/pkg/tool/linuowner=github r: $owner, name:-f g_.a 0126722/b012/vet-C .cfg /usr/lib/git-correv-parse (http block)
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } 8.0/blake2b/blakgit 8.0/blake2b/blak-C 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile 0/x64/bin/node g_.a 0126722/b013/vetimage .cfg git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 0126722/b157/_pkgit (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel x_amd64/link /usr/bin/git onc@v0.3.0/intergit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel ns-lock.json does not exist yet&#34;; \ fi r: $owner, name: $name) { hasDiscussionsEnabled } } .go .go 64/pkg/tool/linugraphql git rev-�� --show-toplevel 64/pkg/tool/linuowner=github 0/x64/bin/node g_.a 0126722/b023/vet-d .cfg git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet r: $owner, name: $name) { hasDiscussionsEnabled } } 8.0/curve25519/cgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 8.0/nacl/box/boxgit (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet x_amd64/cgo 0126722/b129/_pk/usr/bin/gh (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/gh onc@v0.3.0/panic/usr/bin/gh onc@v0.3.0/panicapi 64/pkg/tool/linugraphql gh api /repos/actions/a-f --jq r: $owner, name:-f g_.a --local ndor/bin/bash git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git om/charmbraceletgit om/charmbracelet-C 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/.github/workflows git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/link r: $owner, name: $name) { hasDiscussionsEnabled } } /a.out 0126722/b024/vet-d ortcfg.link sed (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git context_pool.go error_pool.go x_amd64/asm git rev-�� --show-toplevel x_amd64/asm /usr/bin/git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a (http block)
  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login runeutil/runeuti-errorsas (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login --show-toplevel x_amd64/vet /usr/bin/git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title Change add-comment discussion field to default to true, allow false to opt-out Change add-comment and hide-comment discussion field to default to true, allow false to opt-out Feb 18, 2026
@pelikhan
Copy link
Contributor

pelikhan commented Feb 18, 2026

@copilot change to the original default discussion
: false

@pelikhan
Change discussion field default back to false (opt-in)
dcc228c 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 18, 2026
edited
Loading

@copilot change to the original default discussion
: false

Reverted in dcc228c. The discussion field now defaults to false for both add-comment and hide-comment.

Behavior:

  • No discussion field: discussions: write excluded (default false)
  • discussion: true: discussions: write included (opt-in)
  • discussion: false: discussions: write excluded (explicit)

30 workflows were recompiled to remove discussions: write permission. Users who need discussion support must now explicitly set discussion: true.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw al/tzlocal (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw idth (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha g_.a (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha g_.a (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha g_.a (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha ZN8zeeM04 .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha mS7G7xTOI .cfg r: $owner, name:-f (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha WzMqc2uxh .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha ZEU4uWQzZ .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha VZUOHysae .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha reader@v0.2.2/cancelreader.go reader@v0.2.2/cancelreader_linux-ifaceassert $name) { hasDiscussionsEnabled } } (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha g_.a (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha om/stretchr/test-f om/stretchr/testowner=github r: $owner, name:-f (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha .go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha g_.a (http block)
  • https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha Fx_T-0oDz .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha oCLn1vH0z .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha TNPEu46tR .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha jg0Bexf0d .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha 0FFQ40Myh .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha OIe7OfGjw .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha 8hJ71E_Vj .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha 9go7lghnq r 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha rSDBSAcgy ame r: $owner, name: $name) { hasDiscussionsEnabled } } (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha x55To0DC_ r 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha KzUbiovpm .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha gxMkqWJMQ .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha Vt589yh-U .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha /huh@v0.8.0/internal/accessibili-errorsas cussions $name) { hasDiscussionsEnabled } } (http block)
  • https://api.github.com/user
    • Triggering command: /usr/bin/gh gh api user --jq .login (http block)
    • Triggering command: /usr/bin/gh gh api user --jq .login /tmp/go-build630828682/b337/symabis -c=4 -nolocalimports -importcfg /tmp/go-build630828682/b337/importcfg -pack -asmhdr (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan
Format hide_comment.go whitespace
d084f41 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title Change add-comment and hide-comment discussion field to default to true, allow false to opt-out Fix add-comment and hide-comment to conditionally request discussions:write permission Feb 18, 2026
@pelikhan pelikhan marked this pull request as ready for review February 18, 2026 03:10
Copilot AI review requested due to automatic review settings February 18, 2026 03:10
@pelikhan
Copy link
Contributor

pelikhan commented Feb 18, 2026

@copilot review changes and make sure the parsing of add-comments, hide-comments did not lose fields. Ensure proper testing.

Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an issue where add-comment and hide-comment safe outputs unconditionally requested discussions:write permission, causing failures when GitHub App installations don't have the Discussions permission granted. The fix makes discussion support opt-in by requiring users to explicitly set discussion: true.

Changes:

  • Modified permission logic to only request discussions:write when discussion: true is explicitly set
  • Updated field documentation to reflect the new opt-in behavior
  • Removed validation that required discussion: true if present (allowing discussion: false)
  • Added comprehensive test coverage for all three scenarios (unset, true, false)

Reviewed changes

Copilot reviewed 37 out of 37 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pkg/workflow/safe_outputs_permissions.go Updated to conditionally include discussions permission based on Discussion field
pkg/workflow/add_comment.go Updated standalone handler permissions and field documentation; removed validation
pkg/workflow/hide_comment.go Added Discussion field and migrated parser to use unmarshalConfig
pkg/parser/schemas/main_workflow_schema.json Updated schemas to add/modify discussion field with default: false
pkg/workflow/safe_outputs_permissions_test.go Added comprehensive tests for all permission scenarios
pkg/workflow/compiler_safe_outputs_job_test.go Updated tests to reflect new permission expectations
pkg/workflow/notify_comment_test.go Removed test assertion for discussions permission
.github/workflows/*.lock.yml Removed discussions permission from compiled workflows

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pelikhan
Add comprehensive parsing tests for add-comment and hide-comment fields
a2e59c4 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 18, 2026
edited
Loading

@copilot review changes and make sure the parsing of add-comments, hide-comments did not lose fields. Ensure proper testing.

Reviewed and verified in a2e59c4. Added comprehensive parsing tests to ensure no fields were lost during the migration to unmarshalConfig.

Fields verified for add-comment:
✅ max, target, target-repo, allowed-repos, discussion, hide-older-comments, allowed-reasons

Fields verified for hide-comment:
✅ max, target-repo, allowed-repos, discussion, allowed-reasons

Test coverage added:

  • All fields parse correctly with proper types
  • discussion: true, discussion: false, and unset (nil) all handled correctly
  • Wildcard target-repo validation still works
  • Default max values preserved (1 for add-comment, 5 for hide-comment)
  • All embedded struct fields (BaseSafeOutputConfig, SafeOutputTargetConfig) parse correctly

All workflow package tests pass (20s runtime).

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw st.go /usr/local/sbin/run ache/go/1.25.0/x--auto (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha L8uce4yl- cfg 64/pkg/tool/linux_amd64/vet mentsConfig t.go rgo/bin/grep 64/pkg/tool/linux_amd64/vet -l om/cli/go-gh/v2@v2.13.0/pkg/jsonpretty/format.go-errorsas cfg 64/pkg/tool/linux_amd64/vet mentsConfig n_test.go ndor/bin/grep 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha mentsConfig ode_test.go x_amd64/vet mentsConfig ns_test.go (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha v2.13.0/pkg/repository/repository.go ax_turns_validation_test.go 64/pkg/tool/linux_amd64/vet mentsConfig gration_test.go /home/REDACTED/.lo--show-toplevel 64/pkg/tool/linux_amd64/vet -l 999 cfg 64/pkg/tool/linux_amd64/vet mentsConfig .go ep 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha Config\|parseCommentsConfig ontainer_services_test.go 64/pkg/tool/linux_amd64/vet mentsConfig _test.go rgo/bin/grep 64/pkg/tool/linux_amd64/vet -l Config\|parseCommentsConfig cfg 64/pkg/tool/linux_amd64/vet mentsConfig onditional_test.rev-parse ndor/bin/grep 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha --noprofile grep /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet mentsConfig ls_default_test.rev-parse ache/go/1.25.0/x--show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build841607130/b011/vet.cfg 607130/b141/vet.cfg mentsConfig t.go 0/x64/bin/grep /opt/hostedtoolcache/go/1.25.0/xInitial commit (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha mentsConfig tion_test.go cal/bin/grep mentsConfig test.go ndor/bin/grep grep -l mentsConfig low_test.go /home/REDACTED/.lo-nilfunc mentsConfig _test.go 64/bin/grep grep (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha om/goccy/go-yaml@v1.19.2/lexer/lexer.go cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile mentsConfig all_test.go 64/bin/grep ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile -l 607130/b328/_pkg_.a ./pkg/workflow/job_dependencies_test.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet mentsConfig gh/go-spew/spew ache/go/1.25.0/x--show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha /tmp/go-build841607130/b327/_pkg_.a -trimpath 607130/b246/vet.cfg -p github.com/stretrev-parse -lang=go1.17 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build841607130/b078/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -c=4 -nolocalimports -importcfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha Config\|parseCommentsConfig ontainer_services_test.go 64/pkg/tool/linux_amd64/vet mentsConfig _test.go /usr/local/sbin/--show-toplevel 64/pkg/tool/linux_amd64/vet -l Config\|parseCommentsConfig cfg 64/pkg/tool/linux_amd64/vet mentsConfig go rep 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha Config\|parseCommentsConfig ontainer_services_test.go 64/pkg/tool/linux_amd64/vet mentsConfig _test.go 0/x64/bin/grep 64/pkg/tool/linux_amd64/vet -l Config\|parseCommentsConfig cfg 64/pkg/tool/linux_amd64/vet mentsConfig onditional_test.rev-parse (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --noprofile grep /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet mentsConfig ls_default_test.rev-parse k/_temp/ghcca-no--show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build841607130/b015/vet.cfg 607130/b272/vet.cfg mentsConfig t.go grep /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha Config\|parseCommentsConfig ax_turns_validation_test.go 64/pkg/tool/linux_amd64/vet mentsConfig _test.go (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha Config\|parseCommentsConfig ax_turns_validation_test.go 64/pkg/tool/linux_amd64/vet mentsConfig _test.go ndor/bin/grep 64/pkg/tool/linux_amd64/vet -l Config\|parseCommentsConfig cfg 64/pkg/tool/linux_amd64/vet mentsConfig go 64/bin/grep 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha mentsConfig ator_test.go /home/REDACTED/.local/bin/grep mentsConfig test.go 64/bin/grep grep -l mentsConfig ator_test.go ep mentsConfig o ache/go/1.25.0/x-bool grep (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha mentsConfig comment_test.go ndor/bin/grep mentsConfig test.go de/node/bin/grep-bool grep -l mentsConfig ator_test.go 64/bin/grep mentsConfig o k/_temp/ghcca-no-bool grep (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan pelikhan closed this Feb 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

add-comment and hide-comment safe outputs unconditionally request discussions:write permission

2 participants

@pelikhan