[cli-tools-test] Compile error: security-alert-burndown campaign workflow missing required GitHub toolset permissions

[github-actions]

Detected during daily CLI exploratory testing on 2026-03-15. The auto-generated campaign workflow .github/workflows/security-alert-burndown.campaign.g.md fails to compile due to missing required permissions for its declared GitHub toolsets.

Problem Description

The workflow uses GitHub toolsets [default, actions, code_security] but does not declare the required permissions: block in its frontmatter, causing a compilation error.

Tool

• Tool: compile
• Command: agenticworkflows-compile (all workflows)

Steps to Reproduce

1. Run gh aw compile (or use the MCP compile tool)
2. Observe compilation failure for security-alert-burndown.campaign.g.md

Expected Behavior

Campaign orchestrator workflows should either:

• Automatically include required permissions when toolsets are configured, or
• The campaign generator should add necessary permissions to generated files

Actual Behavior

.github/workflows/security-alert-burndown.campaign.g.md:1:1: error: Missing required permissions for GitHub toolsets:
  - actions: read (required by actions)
  - issues: read (required by issues)
  - pull-requests: read (required by pull_requests)
  - security-events: read (required by code_security)

Relevant Workflow Frontmatter

tools:
  github:
    toolsets:
    - default
    - actions
    - code_security

Missing permissions: block:

permissions:
  actions: read
  issues: read
  pull-requests: read
  security-events: read

Environment

• Repository: github/gh-aw
• Run ID: §23110685601
• Date: 2026-03-15
• File: .github/workflows/security-alert-burndown.campaign.g.md

Impact

• Severity: Medium
• Frequency: Always (every compile)
• Workaround: Manually add permissions: block to the generated .campaign.g.md file

Additional Findings from Daily Testing

All other tools tested were functioning correctly:

• ✅ logs: Filtering by workflow name, engine, date range, and count all work. Edge cases (non-existent workflow, future dates, old dates) handled gracefully.
• ✅ audit: Successfully audited successful runs, failed runs, and runs with safe outputs. Error messages are clear and actionable. Invalid run IDs return helpful errors.
• ✅ compile: 171/173 workflows compiled successfully. The 2nd failure (mcp-inspector.md) is environment-specific (missing npm in PATH for package validation).
• ✅ Issue Monster recurring failures (hourly) are due to lockdown: true + no GH_AW_GITHUB_TOKEN configured — a known configuration state.
• ⚠️ Smoke Gemini failed at safe_outputs job after agent reported build failure via add_comment — the safe_outputs job failure details were not surfaced in the audit errors array, which may be a diagnostic gap worth investigating separately.

References:

• §23110685601 (this test run)
• §23110607382 (Agent Container Smoke Test - success)
• §23110636150 (Issue Monster - lockdown failure)

Generated by Daily CLI Tools Exploratory Tester · ◷

• expires on Mar 22, 2026, 12:54 PM UTC