fix(permissions): reject invalid id-token: read permission

pkg/parser/schema_test.go

@@ -1412,6 +1412,39 @@ func TestValidateMainWorkflowFrontmatterWithSchema(t *testing.T) {
 			},
 			wantErr: false,
 		},
+		// id-token permission validation - id-token only supports "write" and "none", not "read"
+		// See: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs#defining-access-for-the-github_token-scopes
+		{
+			name: "invalid: id-token: read is not allowed (only write and none)",
+			frontmatter: map[string]any{
+				"on": "workflow_dispatch",
+				"permissions": map[string]any{
+					"id-token": "read",
+				},
+			},
+			wantErr:     true,
+			errContains: "id-token",
+		},
+		{
+			name: "valid: id-token: write is allowed",
+			frontmatter: map[string]any{
+				"on": "workflow_dispatch",
+				"permissions": map[string]any{
+					"id-token": "write",
+				},
+			},
+			wantErr: false,
+		},
+		{
+			name: "valid: id-token: none is allowed",
+			frontmatter: map[string]any{
+				"on": "workflow_dispatch",
+				"permissions": map[string]any{
+					"id-token": "none",
+				},
+			},
+			wantErr: false,
+		},
 	}
 
 	for _, tt := range tests {

pkg/parser/schemas/main_workflow_schema.json

@@ -1534,8 +1534,8 @@
             },
             "id-token": {
               "type": "string",
-              "enum": ["read", "write", "none"],
-              "description": "Permission level for OIDC token requests (read/write/none). Allows workflows to request JWT tokens for cloud provider authentication."
+              "enum": ["write", "none"],
+              "description": "Permission level for OIDC token requests (write/none only - read is not supported). Allows workflows to request JWT tokens for cloud provider authentication."
             },
             "issues": {
               "type": "string",

pkg/workflow/idtoken_write_warning_test.go

@@ -16,9 +16,10 @@ import (
 // TestIdTokenWriteWarning tests that id-token: write permission emits a warning
 func TestIdTokenWriteWarning(t *testing.T) {
 	tests := []struct {
-		name          string
-		content       string
-		expectWarning bool
+		name              string
+		content           string
+		expectWarning     bool
+		expectCompileFail bool
 	}{
 		{
 			name: "id-token write produces warning",
@@ -35,7 +36,7 @@ permissions:
 			expectWarning: true,
 		},
 		{
-			name: "id-token read does not produce warning",
+			name: "id-token read is invalid and compilation fails",
 			content: `---
 on: workflow_dispatch
 engine: copilot
@@ -46,7 +47,8 @@ permissions:
 
 # Test Workflow
 `,
-			expectWarning: false,
+			expectWarning:     false,
+			expectCompileFail: true,
 		},
 		{
 			name: "no id-token does not produce warning",
@@ -129,6 +131,14 @@ engine: copilot
 			io.Copy(&buf, r)
 			stderrOutput := buf.String()
 
+			// Handle cases where compilation is expected to fail
+			if tt.expectCompileFail {
+				if err == nil {
+					t.Errorf("Expected compilation to fail but it succeeded")
+				}
+				return
+			}
+
 			if err != nil {
 				t.Errorf("Expected compilation to succeed but it failed: %v", err)
 				return

pkg/workflow/schemas/github-workflow.json

@@ -181,7 +181,8 @@
           "$ref": "#/definitions/permissions-level"
         },
         "id-token": {
-          "$ref": "#/definitions/permissions-level"
+          "type": "string",
+          "enum": ["write", "none"]
         },
         "issues": {
           "$ref": "#/definitions/permissions-level"