v0.68.1: create_discussion safe-output fails — compiler omits discussions permission from app token

[corygehr]

Summary

After upgrading from v0.67.4 → v0.68.1, create_discussion safe-outputs fail with a permissions error and fall back to issue creation. The GitHub App has Discussions permission configured.

The root cause: the v0.68.1 compiler no longer includes permission-discussions when minting the GitHub App token in the safe_outputs job. According to the auth docs:

When you configure github-app: for safe outputs, tokens are minted with permissions specific to the safe output operations being performed

The compiler should map create-discussion → discussions: write on the app token, but v0.68.1 does not.

Evidence

Runtime error (safe_outputs job)

##[warning]Failed to fetch discussion info due to permissions: Request failed due to following response errors:
✓ Successfully created issue #391 as fallback

Lock file diff (v0.67.4 → v0.68.1, same .md source)

60 permission-discussions lines removed, 0 added across all lock files.

v0.67.4 (working):

# safe_outputs job → create-github-app-token step
permission-actions: write
permission-contents: read
permission-discussions: write   # ← present
permission-issues: write

v0.68.1 (broken):

# safe_outputs job → create-github-app-token step
permission-actions: write
permission-contents: read
                                # ← permission-discussions gone
permission-issues: write

GITHUB_TOKEN has the right permissions

The safe_outputs job's GITHUB_TOKEN shows Discussions: write at the job level — so the compiler correctly sets the job permissions. The issue is only with the app token minted by create-github-app-token.

Frontmatter (unchanged between versions)

permissions:
  contents: read
  issues: read
  pull-requests: read
  discussions: read

checkout:
  - path: target
    repository: ${{ github.event.inputs.trigger_ref }}
    github-app:
      app-id: ${{ secrets.APP_ID }}
      private-key: ${{ secrets.APP_KEY }}
      owner: my-org
      repositories: ["*"]

safe-outputs:
  create-discussion:
    max: 1
    category: Discussion Category
    fallback-to-issue: true

No github-app under safe-outputs: — the compiler infers it from the checkout github-app. This worked correctly in v0.67.4.

Notes

• permission-discussions was always flagged as an "Unexpected input" by create-github-app-token, but the action passes unknown permission-* inputs through to the GitHub API. Despite the warning, it was functionally required for scoping the app token.
• The GitHub App itself has the Discussions permission — the issue is that the minted token isn't requesting it.
• The fallback-to-issue behavior works as documented, but discussions are the intended target.

Expected behavior

When create-discussion is configured in safe-outputs, the compiler should emit permission-discussions: write on the create-github-app-token step in the safe_outputs job, as it did in v0.67.4.

Environment

• gh-aw: v0.68.1 (previous working: v0.67.4)
• Runner: ubuntu-latest (GitHub-hosted)
• GitHub App: Has Discussions permission enabled
• Run IDs and repository details available on request

[lpcox]

looking into it