From 4c36c85931c7f8df7c040a146e938cb5f0de69e7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Feb 2026 17:09:53 +0000 Subject: [PATCH 1/5] Initial plan From cdd413d60f52c61ffdefa530326b01deb06fdf4e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Feb 2026 17:16:13 +0000 Subject: [PATCH 2/5] Initial plan for excluding metadata: read permission Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/agent-performance-analyzer.lock.yml | 2 +- .github/workflows/agent-persona-explorer.lock.yml | 2 +- .github/workflows/artifacts-summary.lock.yml | 2 +- .github/workflows/audit-workflows.lock.yml | 2 +- .github/workflows/auto-triage-issues.lock.yml | 2 +- .github/workflows/blog-auditor.lock.yml | 2 +- .github/workflows/claude-code-user-docs-review.lock.yml | 2 +- .github/workflows/cli-version-checker.lock.yml | 2 +- .github/workflows/code-simplifier.lock.yml | 2 +- .github/workflows/copilot-agent-analysis.lock.yml | 2 +- .github/workflows/copilot-cli-deep-research.lock.yml | 2 +- .github/workflows/copilot-pr-prompt-analysis.lock.yml | 2 +- .github/workflows/copilot-session-insights.lock.yml | 2 +- .github/workflows/daily-assign-issue-to-user.lock.yml | 2 +- .github/workflows/daily-cli-performance.lock.yml | 2 +- .github/workflows/daily-code-metrics.lock.yml | 2 +- .github/workflows/daily-compiler-quality.lock.yml | 2 +- .github/workflows/daily-doc-updater.lock.yml | 2 +- .github/workflows/daily-firewall-report.lock.yml | 2 +- .github/workflows/daily-issues-report.lock.yml | 2 +- .github/workflows/daily-malicious-code-scan.lock.yml | 2 +- .github/workflows/daily-multi-device-docs-tester.lock.yml | 2 +- .github/workflows/daily-observability-report.lock.yml | 2 +- .github/workflows/daily-performance-summary.lock.yml | 2 +- .github/workflows/daily-regulatory.lock.yml | 2 +- .github/workflows/daily-safe-output-optimizer.lock.yml | 2 +- .github/workflows/daily-secrets-analysis.lock.yml | 2 +- .github/workflows/daily-semgrep-scan.lock.yml | 2 +- .github/workflows/daily-team-evolution-insights.lock.yml | 2 +- .github/workflows/daily-testify-uber-super-expert.lock.yml | 2 +- .github/workflows/daily-workflow-updater.lock.yml | 2 +- .github/workflows/delight.lock.yml | 2 +- .github/workflows/developer-docs-consolidator.lock.yml | 2 +- .github/workflows/discussion-task-miner.lock.yml | 2 +- .github/workflows/docs-noob-tester.lock.yml | 2 +- .github/workflows/draft-pr-cleanup.lock.yml | 2 +- .github/workflows/duplicate-code-detector.lock.yml | 2 +- .github/workflows/example-workflow-analyzer.lock.yml | 2 +- .github/workflows/firewall-escape.lock.yml | 2 +- .github/workflows/github-mcp-tools-report.lock.yml | 2 +- .github/workflows/github-remote-mcp-auth-test.lock.yml | 2 +- .github/workflows/go-logger.lock.yml | 2 +- .github/workflows/instructions-janitor.lock.yml | 2 +- .github/workflows/issue-arborist.lock.yml | 2 +- .github/workflows/issue-monster.lock.yml | 2 +- .github/workflows/jsweep.lock.yml | 2 +- .github/workflows/lockfile-stats.lock.yml | 2 +- .github/workflows/mcp-inspector.lock.yml | 2 +- .github/workflows/metrics-collector.lock.yml | 2 +- .github/workflows/org-health-report.lock.yml | 2 +- .github/workflows/portfolio-analyst.lock.yml | 2 +- .github/workflows/prompt-clustering-analysis.lock.yml | 2 +- .github/workflows/repo-tree-map.lock.yml | 2 +- .github/workflows/safe-output-health.lock.yml | 2 +- .github/workflows/schema-consistency-checker.lock.yml | 2 +- .github/workflows/semantic-function-refactor.lock.yml | 2 +- .github/workflows/sergo.lock.yml | 2 +- .github/workflows/smoke-claude.lock.yml | 2 +- .github/workflows/smoke-codex.lock.yml | 2 +- .github/workflows/smoke-copilot.lock.yml | 2 +- .github/workflows/smoke-opencode.lock.yml | 2 +- .github/workflows/smoke-test-tools.lock.yml | 2 +- .github/workflows/static-analysis-report.lock.yml | 2 +- .github/workflows/step-name-alignment.lock.yml | 2 +- .github/workflows/sub-issue-closer.lock.yml | 2 +- .github/workflows/terminal-stylist.lock.yml | 2 +- .github/workflows/ubuntu-image-analyzer.lock.yml | 2 +- .github/workflows/unbloat-docs.lock.yml | 2 +- .github/workflows/workflow-health-manager.lock.yml | 2 +- .github/workflows/workflow-normalizer.lock.yml | 2 +- .github/workflows/workflow-skill-extractor.lock.yml | 2 +- 71 files changed, 71 insertions(+), 71 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 21ce2e6127..ba7564f50e 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -30,7 +30,7 @@ name: "Agent Performance Analyzer - Meta-Orchestrator" "on": schedule: - - cron: "48 4 * * *" + - cron: "13 1 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index b356c4fb76..5efcf72666 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -30,7 +30,7 @@ name: "Agent Persona Explorer" "on": schedule: - - cron: "9 5 * * *" + - cron: "12 6 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index d4abd8d931..cfd8f95a31 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -31,7 +31,7 @@ name: "Artifacts Summary" "on": schedule: - - cron: "39 6 * * 0" + - cron: "24 6 * * 0" # Friendly format: weekly on sunday around 06:00 (scattered) workflow_dispatch: diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index c9d38c0240..e4d5d2cae2 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -32,7 +32,7 @@ name: "Agentic Workflow Audit Agent" "on": schedule: - - cron: "37 3 * * *" + - cron: "6 13 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index 1177e34616..148bd0b15d 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -34,7 +34,7 @@ name: "Auto-Triage Issues" - opened - edited schedule: - - cron: "2 */6 * * *" + - cron: "59 */6 * * *" # Friendly format: every 6h (scattered) workflow_dispatch: diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 46a53cca4f..3826bbcb98 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -30,7 +30,7 @@ name: "Blog Auditor" "on": schedule: - - cron: "4 11 * * 3" + - cron: "57 12 * * 3" # Friendly format: weekly on wednesday around 12:00 (scattered) workflow_dispatch: diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 5c40bc34b0..4cb99a7300 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -26,7 +26,7 @@ name: "Claude Code User Documentation Review" "on": schedule: - - cron: "32 13 * * *" + - cron: "57 16 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 48c2985ac1..fc64561c37 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -31,7 +31,7 @@ name: "CLI Version Checker" "on": schedule: - - cron: "2 19 * * *" + - cron: "5 12 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 268de2d30b..18a7be5859 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -30,7 +30,7 @@ name: "Code Simplifier" "on": schedule: - - cron: "9 14 * * *" + - cron: "46 19 * * *" # Friendly format: daily (scattered) # skip-if-match: is:pr is:open in:title "[code-simplifier]" # Skip-if-match processed as search check in pre-activation job workflow_dispatch: diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index c49bbb19d2..a8d3c2f8e3 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -32,7 +32,7 @@ name: "Copilot Agent PR Analysis" "on": schedule: - - cron: "2 5 * * *" + - cron: "19 5 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 6bef91ce7e..5058ccdfa0 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -30,7 +30,7 @@ name: "Copilot CLI Deep Research Agent" "on": schedule: - - cron: "55 15 * * *" + - cron: "12 15 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 85fd71d46a..df15cb9cfe 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -32,7 +32,7 @@ name: "Copilot PR Prompt Pattern Analysis" "on": schedule: - - cron: "56 11 * * *" + - cron: "1 12 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index d7f48ca651..34f00ed6c1 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -35,7 +35,7 @@ name: "Copilot Session Insights" "on": schedule: - - cron: "54 5 * * *" + - cron: "43 11 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 9f6ced46b3..4ac0c36c50 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -25,7 +25,7 @@ name: "Auto-Assign Issue" "on": schedule: - - cron: "50 5 * * *" + - cron: "3 1 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 1f98018291..578c1e6097 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -31,7 +31,7 @@ name: "Daily CLI Performance Agent" "on": schedule: - - cron: "2 22 * * *" + - cron: "21 11 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 4cf88a2528..cae5a96c6d 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -32,7 +32,7 @@ name: "Daily Code Metrics and Trend Tracking Agent" "on": schedule: - - cron: "2 17 * * *" + - cron: "43 10 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index d45306c266..b27097677e 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -30,7 +30,7 @@ name: "Daily Compiler Quality Check" "on": schedule: - - cron: "10 4 * * *" + - cron: "55 14 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 9da09a5dfb..2b30326353 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -26,7 +26,7 @@ name: "Daily Documentation Updater" "on": schedule: - - cron: "55 17 * * *" + - cron: "8 8 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 33efa1b11e..9f23078602 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -31,7 +31,7 @@ name: "Daily Firewall Logs Collector and Reporter" "on": schedule: - - cron: "26 12 * * *" + - cron: "25 3 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 8215a25cc7..f9f22b7507 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -34,7 +34,7 @@ name: "Daily Issues Report Generator" "on": schedule: - - cron: "10 16 * * *" + - cron: "45 8 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 636e1796f1..e06af7cd3d 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -30,7 +30,7 @@ name: "Daily Malicious Code Scan Agent" "on": schedule: - - cron: "47 2 * * *" + - cron: "24 18 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 739546e5d7..055a15a9e2 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -31,7 +31,7 @@ name: "Multi-Device Docs Tester" "on": schedule: - - cron: "19 9 * * *" + - cron: "18 16 * * *" # Friendly format: daily (scattered) workflow_dispatch: inputs: diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 8d15c896bb..390ba94e8f 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -30,7 +30,7 @@ name: "Daily Observability Report for AWF Firewall and MCP Gateway" "on": schedule: - - cron: "19 16 * * *" + - cron: "54 6 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index d654082583..6339311321 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -32,7 +32,7 @@ name: "Daily Project Performance Summary Generator (Using Safe Inputs)" "on": schedule: - - cron: "24 2 * * *" + - cron: "35 7 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 69eff324ad..8c3b30797d 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -31,7 +31,7 @@ name: "Daily Regulatory Report Generator" "on": schedule: - - cron: "51 18 * * *" + - cron: "14 5 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 581d68f1e9..11875aea5c 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -31,7 +31,7 @@ name: "Daily Safe Output Tool Optimizer" "on": schedule: - - cron: "0 4 * * *" + - cron: "15 21 * * *" # Friendly format: daily (scattered) # skip-if-match: is:issue is:open in:title "[safeoutputs]" # Skip-if-match processed as search check in pre-activation job workflow_dispatch: diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 2f1976ae8f..90b31c4526 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -30,7 +30,7 @@ name: "Daily Secrets Analysis Agent" "on": schedule: - - cron: "31 9 * * *" + - cron: "14 18 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index c5ddf3fb2a..bde66fdcce 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -30,7 +30,7 @@ name: "Daily Semgrep Scan" "on": schedule: - - cron: "28 9 * * *" + - cron: "53 18 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index f5cb5a5f9b..c45772c5e8 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -30,7 +30,7 @@ name: "Daily Team Evolution Insights" "on": schedule: - - cron: "54 10 * * *" + - cron: "17 2 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 2801af3f19..4a321ae871 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -31,7 +31,7 @@ name: "Daily Testify Uber Super Expert" "on": schedule: - - cron: "59 10 * * *" + - cron: "8 11 * * *" # Friendly format: daily (scattered) # skip-if-match: is:issue is:open in:title "[testify-expert]" # Skip-if-match processed as search check in pre-activation job workflow_dispatch: diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 48d370a3f8..2a2fbdb9e9 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -26,7 +26,7 @@ name: "Daily Workflow Updater" "on": schedule: - - cron: "18 5 * * *" + - cron: "7 11 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 6d036db4e5..4001082b75 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -31,7 +31,7 @@ name: "Delight" "on": schedule: - - cron: "22 8 * * *" + - cron: "13 21 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index f53d70a834..7aa626ab44 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -30,7 +30,7 @@ name: "Developer Documentation Consolidator" "on": schedule: - - cron: "3 10 * * *" + - cron: "52 11 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index e61859a5b5..8af687626e 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -31,7 +31,7 @@ name: "Discussion Task Miner - Code Quality Improvement Agent" "on": schedule: - - cron: "57 */4 * * *" + - cron: "54 */4 * * *" # Friendly format: every 4h (scattered) workflow_dispatch: diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 90fe505f69..a0917bd2c0 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -30,7 +30,7 @@ name: "Documentation Noob Tester" "on": schedule: - - cron: "29 7 * * *" + - cron: "0 5 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index e5e698db4e..eb25e42db9 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -26,7 +26,7 @@ name: "Draft PR Cleanup" "on": schedule: - - cron: "34 0 * * *" + - cron: "15 19 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 891d76a130..1924a8e947 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -26,7 +26,7 @@ name: "Duplicate Code Detector" "on": schedule: - - cron: "19 19 * * *" + - cron: "28 5 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 30bcf7a56f..635673e309 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -30,7 +30,7 @@ name: "Weekly Workflow Analysis" "on": schedule: - - cron: "38 9 * * 1" + - cron: "37 9 * * 1" # Friendly format: weekly on monday around 09:00 (scattered) workflow_dispatch: diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index cedbd21150..b47f637095 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -31,7 +31,7 @@ name: "The Great Escapi" types: - labeled schedule: - - cron: "49 0 * * *" + - cron: "58 8 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 10e4c34f6b..920e36dfeb 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -30,7 +30,7 @@ name: "GitHub MCP Remote Server Tools Report Generator" "on": schedule: - - cron: "50 12 * * 0" + - cron: "1 12 * * 0" # Friendly format: weekly on sunday around 12:00 (scattered) workflow_dispatch: diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 11892a8497..2544550011 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -26,7 +26,7 @@ name: "GitHub Remote MCP Authentication Test" "on": schedule: - - cron: "46 11 * * *" + - cron: "57 3 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 7872ad99c1..f00c8f4895 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -30,7 +30,7 @@ name: "Go Logger Enhancement" "on": schedule: - - cron: "14 6 * * *" + - cron: "13 7 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 8a89d584b7..cca4f4d0e5 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -26,7 +26,7 @@ name: "Instructions Janitor" "on": schedule: - - cron: "18 20 * * *" + - cron: "59 7 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index f3eaed1b74..72ef6098f2 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -30,7 +30,7 @@ name: "Issue Arborist" "on": schedule: - - cron: "33 14 * * *" + - cron: "52 20 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index c4e22abd17..45e43ba504 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -26,7 +26,7 @@ name: "Issue Monster" "on": schedule: - - cron: "49 */1 * * *" + - cron: "58 */1 * * *" # Friendly format: every 1h (scattered) # skip-if-match: # Skip-if-match processed as search check in pre-activation job # max: 9 diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index 919d74039b..666555f38f 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -26,7 +26,7 @@ name: "jsweep - JavaScript Unbloater" "on": schedule: - - cron: "47 14 * * *" + - cron: "10 7 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 4145a18702..abc617be63 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -30,7 +30,7 @@ name: "Lockfile Statistics Analysis Agent" "on": schedule: - - cron: "48 14 * * *" + - cron: "9 8 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index dad6921487..0893d58db4 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -44,7 +44,7 @@ name: "MCP Inspector Agent" "on": schedule: - - cron: "45 18 * * 1" + - cron: "10 18 * * 1" # Friendly format: weekly on monday around 18:00 (scattered) workflow_dispatch: diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index 5cc495f22e..e20064c495 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -26,7 +26,7 @@ name: "Metrics Collector - Infrastructure Agent" "on": schedule: - - cron: "28 14 * * *" + - cron: "23 20 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 17b431525f..11735359f8 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -32,7 +32,7 @@ name: "Organization Health Report" "on": schedule: - - cron: "33 9 * * 1" + - cron: "50 9 * * 1" # Friendly format: weekly on monday around 09:00 (scattered) workflow_dispatch: diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index db9a8e7b45..20f125c4d6 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -32,7 +32,7 @@ name: "Automated Portfolio Analyst" "on": schedule: - - cron: "8 8 * * 1" + - cron: "39 8 * * 1" # Friendly format: weekly on monday around 09:00 (scattered) workflow_dispatch: diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 5fcc9fa223..d9c0fb4e80 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -33,7 +33,7 @@ name: "Copilot Agent Prompt Clustering Analysis" "on": schedule: - - cron: "13 6 * * *" + - cron: "0 4 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 8d42c2206d..73f98b0101 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -30,7 +30,7 @@ name: "Repository Tree Map Generator" "on": schedule: - - cron: "17 14 * * 1" + - cron: "34 14 * * 1" # Friendly format: weekly on monday around 15:00 (scattered) workflow_dispatch: diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 62fc4c8751..52dfd2a2ab 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -31,7 +31,7 @@ name: "Safe Output Health Monitor" "on": schedule: - - cron: "15 23 * * *" + - cron: "54 7 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index c1b542769f..96fa126d43 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -30,7 +30,7 @@ name: "Schema Consistency Checker" "on": schedule: - - cron: "41 23 * * *" + - cron: "24 6 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index fbe9e14472..6c76a04dac 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -30,7 +30,7 @@ name: "Semantic Function Refactoring" "on": schedule: - - cron: "53 14 * * *" + - cron: "20 7 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 3405286bf7..d59bbde2da 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -30,7 +30,7 @@ name: "Sergo - Serena Go Expert" "on": schedule: - - cron: "53 8 * * *" + - cron: "34 21 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 84bc54d578..c2a1989803 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -41,7 +41,7 @@ name: "Smoke Claude" types: - labeled schedule: - - cron: "27 */12 * * *" + - cron: "18 */12 * * *" workflow_dispatch: null permissions: {} diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 2b4ea333e0..b570a056b0 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -38,7 +38,7 @@ name: "Smoke Codex" types: - labeled schedule: - - cron: "16 */12 * * *" + - cron: "31 */12 * * *" workflow_dispatch: null permissions: {} diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 0d40a1f757..4fcc2b47a8 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -37,7 +37,7 @@ name: "Smoke Copilot" types: - labeled schedule: - - cron: "1 */12 * * *" + - cron: "46 */12 * * *" workflow_dispatch: null permissions: {} diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index 67e698f085..02cc4e699d 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -37,7 +37,7 @@ name: "Smoke OpenCode" types: - labeled schedule: - - cron: "10 11 * * *" + - cron: "3 3 * * *" workflow_dispatch: null permissions: {} diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index dd95dfdc28..1112338f9c 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -31,7 +31,7 @@ name: "Agent Container Smoke Test" types: - labeled schedule: - - cron: "23 */12 * * *" + - cron: "54 */12 * * *" # Friendly format: every 12h (scattered) workflow_dispatch: diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 144142d960..dfb4694674 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -30,7 +30,7 @@ name: "Static Analysis Report" "on": schedule: - - cron: "21 14 * * *" + - cron: "16 21 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 0819b15d55..60853f4424 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -26,7 +26,7 @@ name: "Step Name Alignment" "on": schedule: - - cron: "19 2 * * *" + - cron: "44 23 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 94ea53b2ba..21cd5ff6e5 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -26,7 +26,7 @@ name: "Sub-Issue Closer" "on": schedule: - - cron: "42 23 * * *" + - cron: "19 11 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 385477bddb..1cfb15359d 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -26,7 +26,7 @@ name: "Terminal Stylist" "on": schedule: - - cron: "28 8 * * *" + - cron: "13 0 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index 7af9eec721..f0e39435a9 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -26,7 +26,7 @@ name: "Ubuntu Actions Image Analyzer" "on": schedule: - - cron: "21 15 * * 0" + - cron: "6 6 * * 6" # Friendly format: weekly (scattered) # skip-if-match: is:pr is:open in:title "[ubuntu-image]" # Skip-if-match processed as search check in pre-activation job workflow_dispatch: diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 85c1838252..a5e36710ac 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -35,7 +35,7 @@ name: "Documentation Unbloat" - created - edited schedule: - - cron: "46 14 * * *" + - cron: "19 17 * * *" workflow_dispatch: null permissions: {} diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 80b72a7c93..6dab73fcf6 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -30,7 +30,7 @@ name: "Workflow Health Manager - Meta-Orchestrator" "on": schedule: - - cron: "13 2 * * *" + - cron: "18 11 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index f2c0cbf693..fdc210df35 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -30,7 +30,7 @@ name: "Workflow Normalizer" "on": schedule: - - cron: "8 12 * * *" + - cron: "27 2 * * *" # Friendly format: daily (scattered) workflow_dispatch: diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 5181c1a9b7..2d7a823b6e 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -30,7 +30,7 @@ name: "Workflow Skill Extractor" "on": schedule: - - cron: "5 0 * * 2" + - cron: "52 23 * * 3" # Friendly format: weekly (scattered) workflow_dispatch: From 9e0a764a818652824d499bbe7358fc4015f89346 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Feb 2026 17:18:52 +0000 Subject: [PATCH 3/5] Add metadata permission and exclude from YAML rendering Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/permissions.go | 4 ++ pkg/workflow/permissions_operations.go | 5 ++ pkg/workflow/permissions_operations_test.go | 4 ++ pkg/workflow/permissions_rendering_test.go | 76 +++++++++++++++++++++ 4 files changed, 89 insertions(+) diff --git a/pkg/workflow/permissions.go b/pkg/workflow/permissions.go index 3fffa42d3a..b0557fa180 100644 --- a/pkg/workflow/permissions.go +++ b/pkg/workflow/permissions.go @@ -27,6 +27,8 @@ func convertStringToPermissionScope(key string) PermissionScope { return PermissionIdToken case "issues": return PermissionIssues + case "metadata": + return PermissionMetadata case "models": return PermissionModels case "packages": @@ -93,6 +95,7 @@ const ( PermissionDiscussions PermissionScope = "discussions" PermissionIdToken PermissionScope = "id-token" PermissionIssues PermissionScope = "issues" + PermissionMetadata PermissionScope = "metadata" PermissionModels PermissionScope = "models" PermissionPackages PermissionScope = "packages" PermissionPages PermissionScope = "pages" @@ -114,6 +117,7 @@ func GetAllPermissionScopes() []PermissionScope { PermissionDiscussions, PermissionIdToken, PermissionIssues, + PermissionMetadata, PermissionModels, PermissionPackages, PermissionPages, diff --git a/pkg/workflow/permissions_operations.go b/pkg/workflow/permissions_operations.go index d77e43b8b0..f15cf7ab18 100644 --- a/pkg/workflow/permissions_operations.go +++ b/pkg/workflow/permissions_operations.go @@ -247,6 +247,11 @@ func (p *Permissions) RenderToYAML() string { continue } + // Skip metadata - it's a built-in permission that is always available with read access + if scope == PermissionMetadata { + continue + } + // Add 2 spaces for proper indentation under permissions: // When rendered in a job, the job renderer adds 4 spaces to the first line only, // so we need to pre-indent continuation lines with 4 additional spaces diff --git a/pkg/workflow/permissions_operations_test.go b/pkg/workflow/permissions_operations_test.go index cccb96ebaf..9874d1bad2 100644 --- a/pkg/workflow/permissions_operations_test.go +++ b/pkg/workflow/permissions_operations_test.go @@ -357,6 +357,7 @@ func TestPermissionsMerge(t *testing.T) { PermissionDeployments: PermissionRead, PermissionDiscussions: PermissionRead, PermissionIssues: PermissionRead, + PermissionMetadata: PermissionRead, PermissionPackages: PermissionRead, PermissionPages: PermissionRead, PermissionPullRequests: PermissionRead, @@ -381,6 +382,7 @@ func TestPermissionsMerge(t *testing.T) { PermissionDiscussions: PermissionWrite, PermissionIdToken: PermissionWrite, // id-token supports write PermissionIssues: PermissionWrite, + PermissionMetadata: PermissionWrite, PermissionPackages: PermissionWrite, PermissionPages: PermissionWrite, PermissionPullRequests: PermissionWrite, @@ -403,6 +405,7 @@ func TestPermissionsMerge(t *testing.T) { PermissionDeployments: PermissionRead, PermissionDiscussions: PermissionRead, PermissionIssues: PermissionRead, + PermissionMetadata: PermissionRead, PermissionPackages: PermissionRead, PermissionPages: PermissionRead, PermissionPullRequests: PermissionRead, @@ -427,6 +430,7 @@ func TestPermissionsMerge(t *testing.T) { PermissionDeployments: PermissionWrite, PermissionDiscussions: PermissionWrite, PermissionIdToken: PermissionWrite, // id-token supports write + PermissionMetadata: PermissionWrite, PermissionPackages: PermissionWrite, PermissionPages: PermissionWrite, PermissionPullRequests: PermissionWrite, diff --git a/pkg/workflow/permissions_rendering_test.go b/pkg/workflow/permissions_rendering_test.go index d188a964bb..1e29b649dd 100644 --- a/pkg/workflow/permissions_rendering_test.go +++ b/pkg/workflow/permissions_rendering_test.go @@ -260,3 +260,79 @@ func TestPermissions_AllReadRenderToYAML(t *testing.T) { }) } } + +func TestPermissions_MetadataExcluded(t *testing.T) { + tests := []struct { + name string + perms *Permissions + contains []string + notContains []string + }{ + { + name: "metadata permission should be excluded from YAML output", + perms: NewPermissionsFromMap(map[PermissionScope]PermissionLevel{ + PermissionContents: PermissionRead, + PermissionMetadata: PermissionRead, + PermissionIssues: PermissionWrite, + }), + contains: []string{ + "permissions:", + " contents: read", + " issues: write", + }, + notContains: []string{ + "metadata", + }, + }, + { + name: "all: read should expand without metadata", + perms: NewPermissionsAllRead(), + contains: []string{ + "permissions:", + " contents: read", + " issues: read", + }, + notContains: []string{ + "metadata", + }, + }, + { + name: "metadata: write should also be excluded", + perms: NewPermissionsFromMap(map[PermissionScope]PermissionLevel{ + PermissionContents: PermissionRead, + PermissionMetadata: PermissionWrite, + }), + contains: []string{ + "permissions:", + " contents: read", + }, + notContains: []string{ + "metadata", + }, + }, + { + name: "only metadata permission should render empty permissions", + perms: NewPermissionsFromMap(map[PermissionScope]PermissionLevel{ + PermissionMetadata: PermissionRead, + }), + contains: []string{}, + notContains: []string{"metadata"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + result := tt.perms.RenderToYAML() + for _, expected := range tt.contains { + if !strings.Contains(result, expected) { + t.Errorf("RenderToYAML() should contain %q, but got:\n%s", expected, result) + } + } + for _, notExpected := range tt.notContains { + if strings.Contains(result, notExpected) { + t.Errorf("RenderToYAML() should NOT contain %q, but got:\n%s", notExpected, result) + } + } + }) + } +} From 62a1a7104b24c60b0eae98b6419cb63bedc6f882 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Feb 2026 17:20:47 +0000 Subject: [PATCH 4/5] Apply code formatting --- pkg/workflow/permissions_rendering_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/workflow/permissions_rendering_test.go b/pkg/workflow/permissions_rendering_test.go index 1e29b649dd..3f37027c5c 100644 --- a/pkg/workflow/permissions_rendering_test.go +++ b/pkg/workflow/permissions_rendering_test.go @@ -285,7 +285,7 @@ func TestPermissions_MetadataExcluded(t *testing.T) { }, }, { - name: "all: read should expand without metadata", + name: "all: read should expand without metadata", perms: NewPermissionsAllRead(), contains: []string{ "permissions:", From f91bc60a4f998553c885b911639eeefa6e52c08c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 4 Feb 2026 18:02:48 +0000 Subject: [PATCH 5/5] Exclude metadata from dangerous permissions validation The metadata permission is a built-in read-only permission and should not be considered a dangerous permission. Updated findWritePermissions to skip metadata (similar to how it skips id-token). Fixes test failure in TestFindWritePermissions/write-all_shorthand. Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/dangerous_permissions_validation.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pkg/workflow/dangerous_permissions_validation.go b/pkg/workflow/dangerous_permissions_validation.go index 5a09366151..c38a01f17e 100644 --- a/pkg/workflow/dangerous_permissions_validation.go +++ b/pkg/workflow/dangerous_permissions_validation.go @@ -56,6 +56,7 @@ func validateDangerousPermissions(workflowData *WorkflowData) error { // findWritePermissions returns a list of permission scopes that have write access // Excludes id-token since it's safe (used for OIDC authentication) and doesn't modify repository content +// Excludes metadata since it's a built-in read-only permission func findWritePermissions(permissions *Permissions) []PermissionScope { if permissions == nil { return nil @@ -70,6 +71,11 @@ func findWritePermissions(permissions *Permissions) []PermissionScope { continue } + // Skip metadata as it's a built-in read-only permission + if scope == PermissionMetadata { + continue + } + level, exists := permissions.Get(scope) if exists && level == PermissionWrite { writePerms = append(writePerms, scope)