Add missing GitHub permissions to workflows using GitHub API toolsets

[Copilot]

Workflows using GitHub MCP server toolsets (issues, pull_requests) require explicit issues: read and pull-requests: read permissions. Without these, API calls fail with 403 errors at runtime.

Changes

Permissions added:

• ai-moderator.md - Added issues: read and pull-requests: read
• daily-choice-test.md - Added pull-requests: read
• example-custom-error-patterns.md - Added issues: read and pull-requests: read

Before:

tools:
  github:
    mode: remote
    toolsets: [issues, pull_requests]
permissions:
  contents: read

After:

tools:
  github:
    mode: remote
    toolsets: [issues, pull_requests]
permissions:
  contents: read
  issues: read
  pull-requests: read

All workflows now compile without permission warnings. duplicate-code-detector.md already had correct permissions.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Add missing GitHub permissions to 4 affected workflows</issue_title>
<issue_description>## Objective

Add missing issues: read and pull-requests: read permissions to workflows that use GitHub API toolsets but lack required permissions.

Context

Tool: compiler warnings
Count: 4 workflows affected
Issue: Workflows using GitHub toolsets without proper permissions will fail at runtime

When workflows use the GitHub MCP server or GitHub API toolsets, they require explicit permissions to access issues and pull requests. Without these permissions, API calls will fail with 403 Forbidden errors.

Affected Workflows

1. .github/workflows/ai-moderator.md - missing issues: read, pull-requests: read
2. .github/workflows/daily-choice-test.md - missing pull-requests: read
3. .github/workflows/duplicate-code-detector.md - missing issues: read, pull-requests: read
4. .github/workflows/example-custom-error-patterns.md - missing issues: read, pull-requests: read

Approach

For each workflow:

1. Open the workflow markdown file
2. Locate the permissions: section in the frontmatter (or add one if missing)
3. Add the missing permissions based on which toolsets are being used
4. Ensure permissions follow least-privilege principle (read-only unless write needed)
5. Compile and validate the workflow

Files to Modify

• .github/workflows/ai-moderator.md
• .github/workflows/daily-choice-test.md
• .github/workflows/duplicate-code-detector.md
• .github/workflows/example-custom-error-patterns.md

Example Fix

Before:

---
engine: copilot
tools:
  github:
    mode: remote
    toolsets: [issues, pull_requests]
permissions:
  contents: read
---

After:

---
engine: copilot
tools:
  github:
    mode: remote
    toolsets: [issues, pull_requests]
permissions:
  contents: read
  issues: read
  pull-requests: read
---

Acceptance Criteria

• All 4 workflows have correct permissions added
• Workflows compile successfully with make recompile
• No compiler warnings about missing permissions for these workflows
• Permissions follow least-privilege principle
• Workflows can successfully access GitHub API resources

Testing

# Recompile all affected workflows
make build
./gh-aw compile .github/workflows/ai-moderator.md
./gh-aw compile .github/workflows/daily-choice-test.md
./gh-aw compile .github/workflows/duplicate-code-detector.md
./gh-aw compile .github/workflows/example-custom-error-patterns.md

# Verify no permission warnings
make recompile 2>&1 | grep -i "missing-permissions"

Related to #9990

AI generated by Plan Command for discussion #9966

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Add missing GitHub permissions to 4 affected workflows #9991

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.