Remove automatic contents read permission requirement

[Copilot]

Remove automatic contents:read from agent job

The agent job no longer needs automatic contents: read permission. This was previously required to read the prompt from the repository, but the prompt is no longer read from the repo.

Changes Summary:

✅ Updated buildMainJob() in compiler_activation_jobs.go to conditionally add contents: read:

• Only when user explicitly specifies permissions: contents: read in frontmatter
• OR in development/script mode when local actions need checkout

✅ Removed unconditional contents: read addition logic (lines 918-934)

✅ Added conditional logic to check if dev/script mode AND checkout is needed

✅ Updated tests:

• Modified permissions_explicit_empty_test.go expectations
• Added new test TestAgentJobPermissionsConditional to verify conditional behavior
• All existing permission tests pass

✅ Full validation completed:

• All 154 workflows compile successfully
• All permission-related tests pass
• Build and formatting checks pass

Behavior:

• Release mode (no explicit contents): Agent job gets permissions: {} (no automatic contents:read)
• Dev mode (local actions): Agent job gets permissions: contents: read (for checkout)
• Explicit contents:read: Preserved in both modes when user specifies it

The changes are minimal and focused, affecting only the permission logic for the agent job without altering any other functionality.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[pelikhan]

@copilot Keep working

[Copilot]

@copilot Keep working

Full validation completed successfully:

• ✅ All 154 workflows compile
• ✅ All permission tests pass (unit + integration)
• ✅ Build and format checks pass
• ✅ Verified behavior: Release mode no longer adds automatic contents:read, dev mode adds it for local action checkout

Ready for review.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw ul (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw s (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v2
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha Fx_T-0oDz .cfg 64/pkg/tool/linux_amd64/vet =false false (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v2 --jq .object.sha data/action_pinsremote.origin.url .cfg 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha cF8Tv_sqL .cfg 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha KN_vk9KmK .cfg 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha json' --ignore-path ../../../.prettierignore .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } pull.rebase (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 3616832/b160/vetowner=github r: $owner, name:-f INVALID,NEW -j DROP ache/go/1.25.0/xrev-parse -o .js' --ignore-path .prettierignore -trimpath repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -p github.com/githurev-parse -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha se 3616832/b171/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha '**/*.ts' '**/*.json' --ignore-path ../../../.pr--ignore-path 3616832/b203/vet.cfg 64/bin/node - (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha om/charmbraceletremote.origin.url .cfg 64/pkg/tool/linux_amd64/vet pull.rebase (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha re nternal/testdeps/deps.go 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha _.a (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha ignore-path ../../../.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha 28hFrOFzN .cfg 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha ignore-path ../../../.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha --local user.email ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha json' --ignore-path ../../../.pr**/*.json .cfg 64/pkg/tool/linux_amd64/vet user.email (http block)
  • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha om/charmbraceletremote.origin.url .cfg 64/pkg/tool/linux_amd64/vet pull.rebase (http block)
• https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha json' --ignore-premote.origin.url .cfg 64/pkg/tool/linux_amd64/vet user.email (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha json' --ignore-path ../../../.prettierignore .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } user.email (http block)
• https://api.github.com/repos/docker/login-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha json' --ignore-premote.origin.url .cfg 64/pkg/tool/linux_amd64/vet user.email (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha json' --ignore-premote.origin.url .cfg sh user.email (http block)
• https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha json' --ignore-premote.origin.url .cfg 64/pkg/tool/linux_amd64/vet user.email (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha rg/x/text@v0.34.0/feature/plural/common.go .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } pull.rebase (http block)
• https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha json' --ignore-path ../../../.pr**/*.json .cfg 64/pkg/tool/linux_amd64/vet user.email (http block)
  • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha om/charmbracelet/bubbles@v1.0.0/paginator/pagina-errorsas .cfg r: $owner, name: $name) { hasDiscussionsEnabled } } pull.rebase (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/979cbf0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/979cbf0 --jq .object.sha /tmp/go-build106-f -trimpath 3616832/b140/vet-f -p github.com/cli/g-V=full -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/xrev-parse -uns�� *.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore /tmp/go-build4023616832/b009/vet.cfg 3616832/b283/vet.cfg -c=4 -nolocalimports -importcfg /opt/hostedtoolcconfig (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/c4e091835c7a94dc7d3acb8ed3ae145afb4995f3 --jq .object.sha ath ../../../.pr--ignore-path 0/internal/numbe.prettierignore /sh (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha on_metadata.go webhooks.go (http block)
• https://api.github.com/repos/githubnext/agentics/git/ref/tags/-
  • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha _.a (http block)
• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login ignore-path ../../../.prettierignore (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login k/gh-aw/gh-aw/pkg/testutil/tempdir.go -trimpath repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -p github.com/charmtest -lang=go1.24 /opt/hostedtoolc-run -o *.json' '!../../../pkg/workflow/-f -trimpath 3616832/b247/vet.cfg -p github.com/davecrev-parse -lang=go1.16 /opt/hostedtoolcache/go/1.25.0/xconfig (http block)
  • Triggering command: /usr/bin/gh gh api user --jq .login .js' --ignore-path .prettierignore -trimpath /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -p github.com/githurev-parse -lang=go1.25 /opt/hostedtoolcache/go/1.25.0/xrev-parse tion�� -unreachable=false /tmp/go-build4023616832/b032/vet.cfg son ignore -nolocalimports -importcfg /opt/hostedtoolcremote.origin.url (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)