Skip to content

Allow id-token: write permission in strict mode #11307

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 2 commits into from
Jan 22, 2026
Merged

Allow id-token: write permission in strict mode #11307

pelikhan merged 2 commits into from
Jan 22, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 22, 2026
edited
Loading

The id-token: write permission enables OIDC token generation for cloud provider authentication (AWS, GCP, Azure) and doesn't modify repository content, making it safe for strict mode.

Changes

  • Excluded id-token from dangerous permissions validator in findWritePermissions() - it now skips PermissionIdToken when checking for write permissions that require the feature flag
  • Added test coverage for id-token: write behavior in both general and strict modes
  • Fixed pre-existing test bugs: removed invalid "write" shorthand test (not a valid GitHub Actions shorthand), corrected MCP container network validation test expectations

Example

Workflows can now use id-token: write in strict mode for OIDC authentication:

---
name: Deploy to AWS
on: push
strict: true
permissions:
  id-token: write      # Now allowed - used for AWS authentication
  contents: read
---

This continues to block repository-modifying permissions like contents: write, issues: write, and pull-requests: write in strict mode.

Original prompt

Allow idtoken: write permission in strict mode.

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@pelikhan
Allow id-token: write permission in strict mode
42ffb98 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Allow idtoken write permission in strict mode Allow id-token: write permission in strict mode Jan 22, 2026
Copilot AI requested a review from pelikhan January 22, 2026 15:09
@pelikhan pelikhan marked this pull request as ready for review January 22, 2026 15:19
@pelikhan pelikhan merged commit 2f72d5d into main Jan 22, 2026
117 checks passed
@pelikhan pelikhan deleted the copilot/allow-idtoken-write-permission branch January 22, 2026 15:25
This was referenced Jan 22, 2026
Closed
Merged
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan