Skip to content

[plan] Add missing GitHub permissions to 4 affected workflows #9991

New issue
New issue
Closed
#10020
Closed
[plan] Add missing GitHub permissions to 4 affected workflows#9991
#10020
Assignees
mnkiefercopilot-swe-agent
Labels
ai-generatedplan
@github-actions

Description

@github-actions
github-actions
bot
opened on Jan 14, 2026

Objective

Add missing issues: read and pull-requests: read permissions to workflows that use GitHub API toolsets but lack required permissions.

Context

Tool: compiler warnings
Count: 4 workflows affected
Issue: Workflows using GitHub toolsets without proper permissions will fail at runtime

When workflows use the GitHub MCP server or GitHub API toolsets, they require explicit permissions to access issues and pull requests. Without these permissions, API calls will fail with 403 Forbidden errors.

Affected Workflows

  1. .github/workflows/ai-moderator.md - missing issues: read, pull-requests: read
  2. .github/workflows/daily-choice-test.md - missing pull-requests: read
  3. .github/workflows/duplicate-code-detector.md - missing issues: read, pull-requests: read
  4. .github/workflows/example-custom-error-patterns.md - missing issues: read, pull-requests: read

Approach

For each workflow:

  1. Open the workflow markdown file
  2. Locate the permissions: section in the frontmatter (or add one if missing)
  3. Add the missing permissions based on which toolsets are being used
  4. Ensure permissions follow least-privilege principle (read-only unless write needed)
  5. Compile and validate the workflow

Files to Modify

  • .github/workflows/ai-moderator.md
  • .github/workflows/daily-choice-test.md
  • .github/workflows/duplicate-code-detector.md
  • .github/workflows/example-custom-error-patterns.md

Example Fix

Before:

---
engine: copilot
tools:
  github:
    mode: remote
    toolsets: [issues, pull_requests]
permissions:
  contents: read
---

After:

---
engine: copilot
tools:
  github:
    mode: remote
    toolsets: [issues, pull_requests]
permissions:
  contents: read
  issues: read
  pull-requests: read
---

Acceptance Criteria

  • All 4 workflows have correct permissions added
  • Workflows compile successfully with make recompile
  • No compiler warnings about missing permissions for these workflows
  • Permissions follow least-privilege principle
  • Workflows can successfully access GitHub API resources

Testing

# Recompile all affected workflows
make build
./gh-aw compile .github/workflows/ai-moderator.md
./gh-aw compile .github/workflows/daily-choice-test.md
./gh-aw compile .github/workflows/duplicate-code-detector.md
./gh-aw compile .github/workflows/example-custom-error-patterns.md

# Verify no permission warnings
make recompile 2>&1 | grep -i "missing-permissions"

Related to #9990

AI generated by Plan Command for discussion #9966

Metadata

Metadata

Assignees

Labels

ai-generatedplan

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions