github · pelikhan · Feb 7, 2026 · Feb 7, 2026 · Feb 7, 2026 · Copilot
diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml
diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml
diff --git a/pkg/workflow/compiler_activation_jobs.go b/pkg/workflow/compiler_activation_jobs.go
@@ -738,11 +738,16 @@ func (c *Compiler) buildMainJob(data *WorkflowData, activationJobCreated bool) (
 		outputs["has_patch"] = "${{ steps.collect_output.outputs.has_patch }}"
 	}
 
-	// Add checkout_pr_success output to track PR checkout status
+	// Add checkout_pr_success output to track PR checkout status only if the checkout-pr step will be generated
 	// This is used by the conclusion job to skip failure handling when checkout fails
 	// (e.g., when PR is merged and branch is deleted)
-	outputs["checkout_pr_success"] = "${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}"
-	compilerActivationJobsLog.Print("Added checkout_pr_success output")
+	// The checkout-pr step is only generated when the workflow has contents read permission
+	if ShouldGeneratePRCheckoutStep(data) {
+		outputs["checkout_pr_success"] = "${{ steps.checkout-pr.outputs.checkout_pr_success || 'true' }}"
+		compilerActivationJobsLog.Print("Added checkout_pr_success output (workflow has contents read access)")
+	} else {
+		compilerActivationJobsLog.Print("Skipped checkout_pr_success output (workflow lacks contents read access)")
+	}
 
 	// Build job-level environment variables for safe outputs
 	var env map[string]string

diff --git a/pkg/workflow/notify_comment.go b/pkg/workflow/notify_comment.go
@@ -163,7 +163,10 @@ func (c *Compiler) buildConclusionJob(data *WorkflowData, mainJobName string, sa
 	}
 
 	// Add checkout_pr_success to detect PR checkout failures (e.g., PR merged and branch deleted)
-	agentFailureEnvVars = append(agentFailureEnvVars, fmt.Sprintf("          GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.%s.outputs.checkout_pr_success }}\n", mainJobName))
+	// Only add if the checkout-pr step will be generated (requires contents read access)
+	if ShouldGeneratePRCheckoutStep(data) {
+		agentFailureEnvVars = append(agentFailureEnvVars, fmt.Sprintf("          GH_AW_CHECKOUT_PR_SUCCESS: ${{ needs.%s.outputs.checkout_pr_success }}\n", mainJobName))
+	}
 
 	// Pass assignment error outputs from safe_outputs job if assign-to-agent is configured
 	if data.SafeOutputs != nil && data.SafeOutputs.AssignToAgent != nil {

diff --git a/pkg/workflow/pr.go b/pkg/workflow/pr.go
@@ -9,12 +9,18 @@ import (
 
 var prLog = logger.New("workflow:pr")
 
+// ShouldGeneratePRCheckoutStep returns true if the checkout-pr step should be generated
+// based on the workflow permissions. The step requires contents read access.
+func ShouldGeneratePRCheckoutStep(data *WorkflowData) bool {
+	permParser := NewPermissionsParser(data.Permissions)
+	return permParser.HasContentsReadAccess()
+}
+
 // generatePRReadyForReviewCheckout generates a step to checkout the PR branch when PR context is available
 func (c *Compiler) generatePRReadyForReviewCheckout(yaml *strings.Builder, data *WorkflowData) {
 	prLog.Print("Generating PR checkout step")
 	// Check that permissions allow contents read access
-	permParser := NewPermissionsParser(data.Permissions)
-	if !permParser.HasContentsReadAccess() {
+	if !ShouldGeneratePRCheckoutStep(data) {
 		prLog.Print("Skipping PR checkout step: no contents read access")
 		return // No contents read access, cannot checkout
 	}

diff --git a/pkg/workflow/pr_test.go b/pkg/workflow/pr_test.go
@@ -0,0 +1,76 @@
+//go:build !integration
+
+package workflow
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestShouldGeneratePRCheckoutStep(t *testing.T) {
+	tests := []struct {
+		name        string
+		permissions string
+		expected    bool
+	}{
+		{
+			name:        "with contents read permission",
+			permissions: "contents: read",
+			expected:    true,
+		},
+		{
+			name:        "with contents write permission",
+			permissions: "contents: write",
+			expected:    true,
+		},
+		{
+			name:        "without contents permission",
+			permissions: "issues: read",
+			expected:    false,
+		},
+		{
+			name:        "with read-all shorthand",
+			permissions: "read-all",
+			expected:    true,
+		},
+		{
+			name:        "with write-all shorthand",
+			permissions: "write-all",
+			expected:    true,
+		},
+		{
+			name:        "with none shorthand",
+			permissions: "none",
+			expected:    false,
+		},
+		{
+			name:        "with all: read",
+			permissions: `all: read`,
+			expected:    true,
+		},
+		{
+			name: "multiple permissions including contents",
+			permissions: `contents: read
+issues: write
+pull-requests: read`,
+			expected: true,
+		},
+		{
+			name: "multiple permissions without contents",
+			permissions: `issues: write
+pull-requests: read`,
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			data := &WorkflowData{
+				Permissions: tt.permissions,
+			}
+			result := ShouldGeneratePRCheckoutStep(data)
+			assert.Equal(t, tt.expected, result, "ShouldGeneratePRCheckoutStep() result mismatch")
+		})
+	}
+}