Simplify permissions: agent job ALWAYS gets contents:read

pkg/workflow/checkout_optimization_test.go

@@ -37,7 +37,7 @@ strict: false
 			description:         "When no permissions are specified, agent job adds contents:read in dev mode for local actions",
 		},
 		{
-			name: "permissions without contents should omit checkout",
+			name: "permissions without contents should include checkout for .github access",
 			frontmatter: `---
 on:
   issues:
@@ -53,8 +53,8 @@ features:
   dangerous-permissions-write: true
 strict: false
 ---`,
-			expectedHasCheckout: false,
-			description:         "When permissions don't include contents, checkout should be omitted",
+			expectedHasCheckout: true,
+			description:         "Even when permissions don't include contents, checkout is added for .github and .actions access",
 		},
 		{
 			name: "permissions with contents read should include checkout",
@@ -222,10 +222,10 @@ func TestShouldAddCheckoutStep(t *testing.T) {
 			expected:    true,
 		},
 		{
-			name:        "no contents permission specified, no custom steps",
+			name:        "no contents permission specified, no custom steps - checkout added for .github access",
 			permissions: "permissions:\n  issues: write",
 			customSteps: "",
-			expected:    false,
+			expected:    true,
 		},
 		{
 			name:        "contents read permission, custom steps with checkout",

pkg/workflow/compiler_activation_jobs.go

@@ -784,24 +784,21 @@ func (c *Compiler) buildMainJob(data *WorkflowData, activationJobCreated bool) (
 	agentConcurrency := GenerateJobConcurrencyConfig(data)
 
 	// Set up permissions for the agent job
-	// If using local actions (dev mode without action-tag), we need to add contents: read to access the actions folder
+	// Agent job ALWAYS needs contents: read to access .github and .actions folders
 	permissions := data.Permissions
-	if setupActionRef != "" && len(c.generateCheckoutActionsFolder(data)) > 0 {
-		// Need to merge contents: read with existing permissions
-		if permissions == "" {
-			// No permissions specified, just add contents: read
-			perms := NewPermissionsContentsRead()
+	if permissions == "" {
+		// No permissions specified, just add contents: read
+		perms := NewPermissionsContentsRead()
+		permissions = perms.RenderToYAML()
+	} else {
+		// Parse existing permissions and add contents: read
+		parser := NewPermissionsParser(permissions)
+		perms := parser.ToPermissions()
+
+		// Only add contents: read if not already present
+		if level, exists := perms.Get(PermissionContents); !exists || level == PermissionNone {
+			perms.Set(PermissionContents, PermissionRead)
 			permissions = perms.RenderToYAML()
-		} else {
-			// Parse existing permissions and add contents: read
-			parser := NewPermissionsParser(permissions)
-			perms := parser.ToPermissions()
-
-			// Only add contents: read if not already present
-			if level, exists := perms.Get(PermissionContents); !exists || level == PermissionNone {
-				perms.Set(PermissionContents, PermissionRead)
-				permissions = perms.RenderToYAML()
-			}
 		}
 	}
 

pkg/workflow/compiler_jobs.go

@@ -446,23 +446,8 @@ func (c *Compiler) shouldAddCheckoutStep(data *WorkflowData) bool {
 		return true // Custom agent file requires checkout to access the file
 	}
 
-	// Check condition 3: Check if we have or will have contents: read permission
-	// In dev mode, contents: read is added automatically for local actions checkout
-	// So we need to account for that when deciding whether to add repository checkout
-	permParser := NewPermissionsParser(data.Permissions)
-	hasContentsRead := permParser.HasContentsReadAccess()
-
-	// In dev mode, if we'll add contents: read for actions folder, we should also add repository checkout
-	// because all workflows use runtime-import for the main workflow file
-	willAddContentsRead := (c.actionMode.IsDev() || c.actionMode.IsScript()) && len(c.generateCheckoutActionsFolder(data)) > 0
-
-	if !hasContentsRead && !willAddContentsRead {
-		log.Print("Skipping checkout step: no contents read access in permissions")
-		return false // No contents read access, so checkout is not needed
-	}
-
-	// If we have or will have contents: read, add checkout
-	// This is needed because all workflows use runtime-import for the main workflow file
-	log.Print("Adding checkout step: contents read access is available or will be added")
+	// Agent job always gets contents: read permission for .github and .actions access
+	// Therefore, we always add checkout for runtime-import and workflow files
+	log.Print("Adding checkout step: agent job has contents read access for .github and .actions")
 	return true
 }

pkg/workflow/permissions_explicit_empty_test.go

@@ -46,9 +46,9 @@ permissions: {}
 # Test workflow
 Test content`,
 			actionMode:            ActionModeRelease,
-			expectedAgentPerms:    "permissions: {}", // Release mode should keep empty
+			expectedAgentPerms:    "permissions:\n      contents: read", // Agent job always gets contents: read
 			expectedTopLevelPerms: "permissions: {}",
-			description:           "Release mode with explicit empty permissions should keep agent job permissions empty",
+			description:           "Release mode with explicit empty permissions should add contents: read to agent job",
 		},
 		{
 			name: "no permissions specified in dev mode",