gh-aw: GitHub App token narrowing omits Dependabot alerts permission for GitHub MCP (403 on list_dependabot_alerts)

[Dan-Co]

Summary
When using GitHub App auth for tools.github with least-privilege workflow permissions, the compiled workflow narrows the app token to contents, pull-requests, and security-events read.
Dependabot alert reads then fail with:

403 Resource not accessible by integration
on GET /repos/{owner}/{repo}/dependabot/alerts

Impact
github-list_dependabot_alerts fails in agent runs
CodeQL (list_code_scanning_alerts) can still succeed
Security remediation workflows fail preflight even though app installation has Dependabot access
Reproduction
Configure workflow with:
tools.github.app (GitHub App auth)
toolsets including dependabot and code_security
least-privilege permissions (contents: read, pull-requests: read, security-events: read)
Compile and run workflow.
Observe:
github-list_dependabot_alerts -> 403
github-list_code_scanning_alerts -> success
Actual
Compiled lockfile token mint step includes:

permission-contents: read
permission-pull-requests: read
permission-security-events: read
No dependabot-alerts permission
Expected
If dependabot toolset is enabled, token narrowing should also request Dependabot alerts read permission.

Root Cause
Current permission mapping/token narrowing does not include a Dependabot-specific permission when dependabot toolset is used.

Proposed Fix
Add Dependabot alerts permission to narrowed GitHub App token generation when dependabot toolset is active, e.g.:

permission-dependabot-alerts: read (or equivalent supported permission key)
Also update frontmatter/compiler schema so least-privilege workflows can explicitly declare Dependabot alerts read without requiring broader permission workarounds.

[pelikhan]

Dependabot is not reachable using the actions token, it requires a PAT with security_events ... We need to somehow message that.

[pelikhan]

#17983

[pelikhan]

@mnkiefer can we document how to make dependabot work?

[Dan-Co]

Thanks for picking up so quickly.

Github App token already supports dependabot retreival, will "gh aw" support after this?

It was all working well "dependabot retreival" using personal fine grained token - when i switched to github app I needed to switch the permission request section from read-all (as github app not scoped for all), to granular, and there was no dependabot permission and its not covered by security_events:read
This was the permissions section I couldnt add dependabot permissions to.

runs-on: <fixed IP self hosted runner)
permissions:
  contents: read
  pull-requests: read
  security-events: read
strict: false

Apologies guess you already know this but this was the context from this issue.

[Dan-Co]

Hi any chance of a clue in this one? I've had to revert my GitHub app workflow to using a personal PAT for now as the permissions aren't propagated even though they are given to the app directly.
I'd love to be sharing my workflow all around our enterprise but can't without it working on a GitHub app.