Add vulnerability-alerts permission

src/Sdk/WorkflowParser/Conversion/PermissionsHelper.cs

@@ -32,7 +32,7 @@ internal static void ValidateEmbeddedPermissions(
                 return;
             }
 
-            var effectiveMax = explicitMax ?? CreatePermissionsFromPolicy(context, permissionsPolicy, includeIdToken: isTrusted, includeModels: context.GetFeatures().AllowModelsPermission);
+            var effectiveMax = explicitMax ?? CreatePermissionsFromPolicy(context, permissionsPolicy, includeIdToken: isTrusted, includeModels: context.GetFeatures().AllowModelsPermission, includeVulnerabilityAlerts: context.GetFeatures().AllowVulnerabilityAlertsPermission);
 
             if (requested.ViolatesMaxPermissions(effectiveMax, out var permissionLevelViolations))
             {
@@ -59,18 +59,19 @@ private static Permissions CreatePermissionsFromPolicy(
             TemplateContext context,
             string permissionsPolicy,
             bool includeIdToken,
-            bool includeModels)
+            bool includeModels,
+            bool includeVulnerabilityAlerts)
         {
             switch (permissionsPolicy)
             {
                 case WorkflowConstants.PermissionsPolicy.LimitedRead:
-                    return new Permissions(PermissionLevel.NoAccess, includeIdToken: false, includeAttestations: false, includeModels: false)
+                    return new Permissions(PermissionLevel.NoAccess, includeIdToken: false, includeAttestations: false, includeModels: false, includeVulnerabilityAlerts: false)
                     {
                         Contents = PermissionLevel.Read,
                         Packages = PermissionLevel.Read,
                     };
                 case WorkflowConstants.PermissionsPolicy.Write:
-                    return new Permissions(PermissionLevel.Write, includeIdToken: includeIdToken, includeAttestations: true, includeModels: includeModels);
+                    return new Permissions(PermissionLevel.Write, includeIdToken: includeIdToken, includeAttestations: true, includeModels: includeModels, includeVulnerabilityAlerts: includeVulnerabilityAlerts);
                 default:
                     throw new ArgumentException($"Unexpected permission policy: '{permissionsPolicy}'");
             }

src/Sdk/WorkflowParser/Conversion/WorkflowTemplateConverter.cs

@@ -1877,7 +1877,7 @@ private static Permissions ConvertToPermissions(TemplateContext context, Templat
                         permissionsStr.AssertUnexpectedValue(permissionsStr.Value);
                         break;
                 }
-                return new Permissions(permissionLevel, includeIdToken: true, includeAttestations: true, includeModels: context.GetFeatures().AllowModelsPermission);
+                return new Permissions(permissionLevel, includeIdToken: true, includeAttestations: true, includeModels: context.GetFeatures().AllowModelsPermission, includeVulnerabilityAlerts: context.GetFeatures().AllowVulnerabilityAlertsPermission);
             }
 
             var mapping = token.AssertMapping("permissions");
@@ -1957,6 +1957,23 @@ private static Permissions ConvertToPermissions(TemplateContext context, Templat
                             context.Error(key, $"The permission 'models' is not allowed");
                         }
                         break;
+                    case "vulnerability-alerts":
+                        if (context.GetFeatures().AllowVulnerabilityAlertsPermission)
+                        {
+                            if (permissionLevel == PermissionLevel.Write)
+                            {
+                                permissions.VulnerabilityAlerts = PermissionLevel.Read;
+                            }
+                            else
+                            {
+                                permissions.VulnerabilityAlerts = permissionLevel;
+                            }
+                        }
+                        else
+                        {
+                            context.Error(key, $"The permission 'vulnerability-alerts' is not allowed");
+                        }
+                        break;
                     default:
                         break;
                 }

src/Sdk/WorkflowParser/Permissions.cs

@@ -32,6 +32,7 @@ public Permissions(Permissions copy)
             SecurityEvents = copy.SecurityEvents;
             IdToken = copy.IdToken;
             Models = copy.Models;
+            VulnerabilityAlerts = copy.VulnerabilityAlerts;
         }
 
         public Permissions(
@@ -61,6 +62,19 @@ public Permissions(
                 : PermissionLevel.NoAccess;
         }
 
+        public Permissions(
+            PermissionLevel permissionLevel,
+            bool includeIdToken,
+            bool includeAttestations,
+            bool includeModels,
+            bool includeVulnerabilityAlerts)
+            : this(permissionLevel, includeIdToken, includeAttestations, includeModels)
+        {
+            VulnerabilityAlerts = includeVulnerabilityAlerts
+                ? (permissionLevel == PermissionLevel.Write ? PermissionLevel.Read : permissionLevel)
+                : PermissionLevel.NoAccess;
+        }
+
         private static KeyValuePair<string, (PermissionLevel, PermissionLevel)>[] ComparisonKeyMapping(Permissions left, Permissions right)
         {
             return new[]
@@ -81,6 +95,7 @@ public Permissions(
                 new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("security-events", (left.SecurityEvents, right.SecurityEvents)),
                 new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("id-token", (left.IdToken, right.IdToken)),
                 new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("models", (left.Models, right.Models)),
+                new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("vulnerability-alerts", (left.VulnerabilityAlerts, right.VulnerabilityAlerts)),
             };
         }
 
@@ -154,6 +169,13 @@ public PermissionLevel Models
             set;
         }
 
+        [DataMember(Name = "vulnerability-alerts", EmitDefaultValue = false)]
+        public PermissionLevel VulnerabilityAlerts
+        {
+            get;
+            set;
+        }
+
         [DataMember(Name = "packages", EmitDefaultValue = false)]
         public PermissionLevel Packages
         {

src/Sdk/WorkflowParser/WorkflowFeatures.cs

@@ -41,6 +41,13 @@ public class WorkflowFeatures
         [DataMember(EmitDefaultValue = false)]
         public bool AllowModelsPermission { get; set; }
 
+        /// <summary>
+        /// Gets or sets a value indicating whether users may use the "vulnerability-alerts" permission.
+        /// Used during parsing only.
+        /// </summary>
+        [DataMember(EmitDefaultValue = false)]
+        public bool AllowVulnerabilityAlertsPermission { get; set; }
+
         /// <summary>
         /// Gets or sets a value indicating whether the expression function fromJson performs strict JSON parsing.
         /// Used during evaluation only.
@@ -67,6 +74,7 @@ public static WorkflowFeatures GetDefaults()
                 Snapshot = false,           // Default to false since this feature is still in an experimental phase
                 StrictJsonParsing = false,  // Default to false since this is temporary for telemetry purposes only
                 AllowModelsPermission = false, // Default to false since we want this to be disabled for all non-production environments
+                AllowVulnerabilityAlertsPermission = false, // Default to false since we want this to be disabled for all non-production environments
                 AllowServiceContainerCommand = false, // Default to false since this feature is gated by actions_service_container_command
             };
         }

src/Sdk/WorkflowParser/workflow-v1.0.json

@@ -496,8 +496,8 @@
     "check-suite-activity": {
       "description": "The types of check suite activity that trigger the workflow. Supported activity types: `completed`.",
       "one-of": [
-         "check-suite-activity-type",
-         "check-suite-activity-types"
+        "check-suite-activity-type",
+        "check-suite-activity-types"
       ]
     },
     "check-suite-activity-types": {
@@ -1865,11 +1865,15 @@
           },
           "security-events": {
             "type": "permission-level-any",
-            "description": "Code scanning and Dependabot alerts."
+            "description": "Code scanning alerts."
           },
           "statuses": {
             "type": "permission-level-any",
             "description": "Commit statuses."
+          },
+          "vulnerability-alerts": {
+            "type": "permission-level-read-or-no-access",
+            "description": "Dependabot alerts."
           }
         }
       }