diff --git a/.changeset/patch-fix-detection-job-permissions.md b/.changeset/patch-fix-detection-job-permissions.md new file mode 100644 index 00000000000..5ef99539912 --- /dev/null +++ b/.changeset/patch-fix-detection-job-permissions.md @@ -0,0 +1,5 @@ +--- +"gh-aw": patch +--- + +Ensure the detection job requests `contents: read` whenever it injects `actions/checkout`, matching the existing agent job permissions. diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 53a0fccd839..ffda5dd3753 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -1099,7 +1099,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 29dd87d1d34..7223218a285 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -970,7 +970,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 96e1c159c29..030f3aa22a8 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -926,7 +926,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index ca5c3227fec..ccbe05b6aab 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -882,7 +882,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index adee5838a72..5149bbfe326 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -1146,7 +1146,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index f6d63af4781..b76b32c9010 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -933,7 +933,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 9b8af53a490..8b9942a7512 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -996,7 +996,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 6cdba1cdf43..244e56fc781 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -920,7 +920,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index e888d9a3cec..69518c7c170 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -928,7 +928,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index 5f669650f65..8a1fe0a8dbd 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -993,7 +993,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index df24a5a7d0e..40749ca98e7 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -986,7 +986,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index f35e41a3633..f2a7176e9b7 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1090,7 +1090,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index 1fa4596f973..c13f502d3c6 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -959,7 +959,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 65f88abca9d..538f626424c 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -895,7 +895,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 758a64a611a..a05d5815602 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -983,7 +983,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 4bcd1357d2d..1fee7c9d3ca 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1256,7 +1256,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index a3b2e3a3a68..1cc06a5fd20 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -997,7 +997,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 2992e9627c2..582a71ff53f 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -912,7 +912,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 9f5159a86eb..0f7dfacc485 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -936,7 +936,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index c53f6c78ef8..4d6b465c997 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -1042,7 +1042,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index cbb13e646b7..356fe667b54 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -949,7 +949,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 6f22f10d1b2..bbdb93d77ce 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -940,7 +940,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index 7e5abbc439f..44ef84c8a66 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -1039,7 +1039,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index afe14f29032..47094076971 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -965,7 +965,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index 339f8b67503..6291d78a6e6 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -1097,7 +1097,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index f92a5656850..d38d73f7b7b 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -954,7 +954,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index fbe0efd393f..978af403f03 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -903,7 +903,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 95735a54f67..adc05f972b5 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -906,7 +906,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index d8b0ee691cc..a4ae27129e4 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -1136,7 +1136,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index b7c7f09d47f..4b8d528214c 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -961,7 +961,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index a6435fa8220..ec08c4d4bbb 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -1076,7 +1076,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index e23169efad7..5d04c376e06 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -936,7 +936,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index b918430bbf6..b41b744c323 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -1054,7 +1054,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 4fffe728c0b..35dc3b582ea 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -1003,7 +1003,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index 892433d9af6..6c45becd228 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -939,7 +939,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index af5b95b2184..86d29fec4bd 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -1044,7 +1044,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 25d0fdb8016..afa3cb52c55 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -1066,7 +1066,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index 150a97ac442..c951b8e21d6 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -987,7 +987,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 83578030078..75a49c9659b 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -1071,7 +1071,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index b95cf4b7b31..565e7bd2d10 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -1116,7 +1116,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index 7fef55bf254..c1542dcb429 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -1024,7 +1024,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 0aa8511978e..cafd33b3b14 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1532,7 +1532,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 6d997e8d593..7f6d22b5b44 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1425,7 +1425,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 10aca4ae1b2..4f878f31a5e 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -980,7 +980,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 1c30a294edf..d68e115aba9 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -1067,7 +1067,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 9bc8110580b..5a3f4c86ad0 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -943,7 +943,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 104fcfafc39..ff2c0baaec0 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -931,7 +931,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index d2d9d0118c1..694b651eb7b 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -925,7 +925,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index e266ff29d04..3196a826eab 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -936,7 +936,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index da16a8e14d6..c67db3fa438 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -919,7 +919,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index b3fdaf4cc27..f3a885b5b88 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -983,7 +983,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index eaaad5b4d87..70ea73d5dd0 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -903,7 +903,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index ef20042c857..1c2e8f329a9 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -1162,7 +1162,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index f4040435a79..5872449357c 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -1034,7 +1034,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index a24b13b2f13..aeabcd09f1b 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -1149,7 +1149,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 00eab194458..5ff103038f1 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -933,7 +933,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dependabot-project-manager.lock.yml b/.github/workflows/dependabot-project-manager.lock.yml index 1dabdc1f500..85c491941ef 100644 --- a/.github/workflows/dependabot-project-manager.lock.yml +++ b/.github/workflows/dependabot-project-manager.lock.yml @@ -1197,7 +1197,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index e735da03383..1a9426511b2 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -973,7 +973,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index b4aeac6f36e..9dc141e398b 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -894,7 +894,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index d3c42c14f6e..e74725e2a4f 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -1075,7 +1075,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 580605b87a6..42405caf1be 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -900,7 +900,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 7a81c8ace07..940f3f4f8a4 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1011,7 +1011,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 8f720005ecd..695b65763ed 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -930,7 +930,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index 5481b46a698..f00526713c7 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -934,7 +934,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 57f6d2a13c1..c6f5beb8ae5 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -941,7 +941,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index ff832237bed..64c1302033b 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -992,7 +992,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 5f1c006252e..e553002cff8 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -956,7 +956,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index a06cd51f56b..bc72633271a 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -908,7 +908,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 0e6930a93b1..6d5ecef643b 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -1027,7 +1027,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 009ece29520..41c8b961337 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -1036,7 +1036,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index 5d2f997e0ca..7dc58126060 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -888,7 +888,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index cbce87f317e..a7c995f587d 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -975,7 +975,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index 6e29fc92b7e..fa575919d77 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -996,7 +996,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index c977df0e825..208e7e91ea2 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -1165,7 +1165,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 44e211a65a0..381d75c1f1d 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -993,7 +993,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index 39303d2ad85..a2623539ca3 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -1002,7 +1002,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index fd33f14811e..eaed836296b 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -1006,7 +1006,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 84458d5b594..0f3baaeeada 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -996,7 +996,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index f0096c9ca31..335c6c92f35 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -1010,7 +1010,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml index ef7b475fb49..03cfe5ba7dd 100644 --- a/.github/workflows/issue-classifier.lock.yml +++ b/.github/workflows/issue-classifier.lock.yml @@ -835,7 +835,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 0c492e46df8..97164b40cec 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -926,7 +926,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 41ea287c3db..1aeb3d33bcb 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -877,7 +877,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index ac63b388d1e..ea682043f63 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -946,7 +946,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index 76e6d42d55f..087bda51da3 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -940,7 +940,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index f4d1515adcd..a9afcce7c65 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -955,7 +955,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 1c2b191584b..a94d0b3430f 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -1285,7 +1285,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index f463f428914..4199f90cb5d 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -940,7 +940,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 19a8695c53a..67696843390 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -863,7 +863,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 2ecc81fafc9..d082d0e1d34 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -967,7 +967,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index afbbf2c1287..bbf2b0f03bf 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -1019,7 +1019,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 4d70f5f2ea5..1234da984fa 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -998,7 +998,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 6bc95922fcc..092713452fc 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -1554,7 +1554,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 455f4056081..ea5bda727fa 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -1055,7 +1055,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index fd4a1e783f1..93b22bd7e56 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -1075,7 +1075,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index dca6f91040e..15b7aec906d 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1011,7 +1011,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 5d958e225e1..98bdde87090 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -1085,7 +1085,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 01f44ad9a70..8e2c5fb7823 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -1039,7 +1039,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index d2094d1b279..958b4bc31ba 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1110,7 +1110,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index a84039ea97a..39f5b5d5636 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -1007,7 +1007,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index fd0577815e3..4701b51e9d2 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -930,7 +930,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 8519bd62690..2132ad0d3d5 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -878,7 +878,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 04a15df9f50..d719c771237 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -928,7 +928,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 70fc0d23eb0..da706402d3a 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -906,7 +906,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 09c8f9a1254..e4b8bcf0ff7 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -1045,7 +1045,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index d4add74bed5..9d762bc196d 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -958,7 +958,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index be0d09e5d25..0510481447a 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1099,7 +1099,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index a0caa46ba8e..1962b863045 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -956,7 +956,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml index 63c7f129aab..cf548406c46 100644 --- a/.github/workflows/security-guard.lock.yml +++ b/.github/workflows/security-guard.lock.yml @@ -867,7 +867,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index db3ad7a218b..639e3bf25ba 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -1071,7 +1071,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 3c3b2a6a051..e52ce394415 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -1021,7 +1021,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index 58ec9380b6e..5934846b8ce 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -995,7 +995,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 6ed3a44aa20..ccd5c3979f5 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -1002,7 +1002,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index da205be8a3b..2f111ad7500 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1813,7 +1813,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index c5c47de6b65..b227dd2e884 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1283,7 +1283,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 000454e8b91..3d50ff40740 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1694,7 +1694,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index 058d7779dac..2a28792f5fe 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -1548,7 +1548,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index fb502dd5b15..26b2f7b93b9 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1332,7 +1332,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 412d0bd5e69..292ec972b79 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -882,7 +882,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index d2601f56ab3..289fd6d0ad9 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -1036,7 +1036,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index b6b8f3d0746..495c184ddc4 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1028,7 +1028,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index 11be97e88c1..2b564ac9e75 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -985,7 +985,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index bf2d3d866dc..5f692c8b1d4 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -945,7 +945,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index c45bd70aef0..5093b004c41 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -935,7 +935,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 9fc0f174f7a..5a9f8616f25 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1041,7 +1041,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index f4c055772e6..97911364407 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -882,7 +882,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index efae253e5bd..096f664d70e 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -970,7 +970,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index 2ee00c2a3c9..5effded3daf 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -832,7 +832,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index 66eb91592a7..b467cf91626 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -1063,7 +1063,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index a39d79d7ae6..d40c5abd212 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -1024,7 +1024,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 065797f4819..4d2e6c702ff 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -963,7 +963,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index e3be25e2f4b..a0db3af5687 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -933,7 +933,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 18f4fc95254..442e3bac3fc 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1182,7 +1182,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 05babd3597d..7e46908e5ef 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -930,7 +930,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index e28bfc8b36c..35203e26a93 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -962,7 +962,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 0f0d7c66a6c..1b7ecc4c1f7 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -996,7 +996,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index d68b976972b..983115db343 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1069,7 +1069,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index ee47625a968..de42e08ae65 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -969,7 +969,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 465390912e3..346c7ec2bf4 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -972,7 +972,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/pkg/workflow/detection_permissions_test.go b/pkg/workflow/detection_permissions_test.go new file mode 100644 index 00000000000..b031509c877 --- /dev/null +++ b/pkg/workflow/detection_permissions_test.go @@ -0,0 +1,118 @@ +//go:build !integration + +package workflow + +import ( + "os" + "path/filepath" + "testing" + + "github.com/github/gh-aw/pkg/stringutil" + "github.com/github/gh-aw/pkg/testutil" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +// TestDetectionJobPermissionsWithCheckout verifies that detection job has +// contents: read permission when it includes a checkout step (dev/script mode) +func TestDetectionJobPermissionsWithCheckout(t *testing.T) { + tmpDir := testutil.TempDir(t, "test-*") + workflowPath := filepath.Join(tmpDir, "test-workflow.md") + + frontmatter := `--- +on: workflow_dispatch +permissions: + contents: read +engine: copilot +safe-outputs: + create-issue: +--- + +# Test + +Create an issue. +` + + err := os.WriteFile(workflowPath, []byte(frontmatter), 0644) + require.NoError(t, err, "Failed to write workflow file") + + compiler := NewCompiler() + // Set to dev mode to trigger checkout (dev is also the default) + compiler.actionMode = ActionModeDev + + err = compiler.CompileWorkflow(workflowPath) + require.NoError(t, err, "Failed to compile workflow") + + // Read the compiled YAML + lockPath := stringutil.MarkdownToLockFile(workflowPath) + yamlBytes, err := os.ReadFile(lockPath) + require.NoError(t, err, "Failed to read compiled YAML") + yaml := string(yamlBytes) + + // Check that detection job exists + assert.Contains(t, yaml, "detection:", "Detection job not found in compiled YAML") + + // Check that detection job has checkout step + assert.Contains(t, yaml, "Checkout actions folder", "Detection job should have checkout step in dev mode") + + // Extract detection job section using existing helper + detectionSection := extractJobSection(yaml, "detection") + require.NotEmpty(t, detectionSection, "Detection job section should not be empty") + + // Verify that detection job has contents: read permission + assert.Contains(t, detectionSection, "permissions:", "Detection job should have permissions field") + assert.Contains(t, detectionSection, "contents: read", "Detection job should have contents: read permission when checkout is needed") + + // Verify it's NOT using empty permissions + assert.NotContains(t, detectionSection, "permissions: {}", "Detection job should not have empty permissions when checkout is needed") +} + +// TestDetectionJobPermissionsWithoutCheckout verifies that detection job has +// empty permissions when no checkout is needed (release mode) +func TestDetectionJobPermissionsWithoutCheckout(t *testing.T) { + tmpDir := testutil.TempDir(t, "test-*") + workflowPath := filepath.Join(tmpDir, "test-workflow.md") + + frontmatter := `--- +on: workflow_dispatch +permissions: + contents: read +engine: copilot +safe-outputs: + create-issue: +--- + +# Test + +Create an issue. +` + + err := os.WriteFile(workflowPath, []byte(frontmatter), 0644) + require.NoError(t, err, "Failed to write workflow file") + + compiler := NewCompiler() + // Set to release mode - no checkout needed + compiler.actionMode = ActionModeRelease + + err = compiler.CompileWorkflow(workflowPath) + require.NoError(t, err, "Failed to compile workflow") + + // Read the compiled YAML + lockPath := stringutil.MarkdownToLockFile(workflowPath) + yamlBytes, err := os.ReadFile(lockPath) + require.NoError(t, err, "Failed to read compiled YAML") + yaml := string(yamlBytes) + + // Check that detection job exists + assert.Contains(t, yaml, "detection:", "Detection job not found in compiled YAML") + + // Extract detection job section using existing helper + detectionSection := extractJobSection(yaml, "detection") + require.NotEmpty(t, detectionSection, "Detection job section should not be empty") + + // In release mode, checkout should not be present in detection job + assert.NotContains(t, detectionSection, "Checkout actions folder", "Detection job should not have checkout step in release mode") + + // Empty permissions are acceptable when no checkout is needed + assert.Contains(t, detectionSection, "permissions: {}", "Detection job can have empty permissions in release mode") +} diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index 2c68c47290b..e248b7f7bc9 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -106,6 +106,20 @@ func (c *Compiler) buildThreatDetectionJob(data *WorkflowData, mainJobName strin steps := c.buildThreatDetectionSteps(data, mainJobName) threatLog.Printf("Generated %d steps for threat detection job", len(steps)) + // Determine if checkout is needed (dev or script mode with actions checkout) + needsContentsRead := (c.actionMode.IsDev() || c.actionMode.IsScript()) && len(c.generateCheckoutActionsFolder(data)) > 0 + if needsContentsRead { + threatLog.Print("Detection job needs contents:read permission for checkout") + } + + // Set permissions based on whether checkout is needed + var permissions string + if needsContentsRead { + permissions = NewPermissionsContentsRead().RenderToYAML() + } else { + permissions = NewPermissionsEmpty().RenderToYAML() + } + // Generate agent concurrency configuration (same as main agent job) agentConcurrency := GenerateJobConcurrencyConfig(data) @@ -127,7 +141,7 @@ func (c *Compiler) buildThreatDetectionJob(data *WorkflowData, mainJobName strin Name: string(constants.DetectionJobName), If: condition.Render(), RunsOn: "runs-on: ubuntu-latest", - Permissions: NewPermissionsEmpty().RenderToYAML(), + Permissions: permissions, Concurrency: c.indentYAMLLines(agentConcurrency, " "), TimeoutMinutes: 10, Steps: steps, diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index 2937fc0991b..f6dfb05f936 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -225,8 +225,14 @@ func TestBuildThreatDetectionJob(t *testing.T) { if job.RunsOn != "runs-on: ubuntu-latest" { t.Errorf("Expected ubuntu-latest runner, got %q", job.RunsOn) } - if job.Permissions != "permissions: {}" { - t.Errorf("Expected 'permissions: {}', got %q", job.Permissions) + // In dev mode (default), detection job should have contents: read permission for checkout + // In release mode, it should have empty permissions + expectedPerms := "permissions:\n contents: read" + if compiler.actionMode.IsRelease() { + expectedPerms = "permissions: {}" + } + if job.Permissions != expectedPerms { + t.Errorf("Expected %q, got %q", expectedPerms, job.Permissions) } if len(job.Needs) != 1 || job.Needs[0] != tt.mainJobName { t.Errorf("Expected job to depend on %q, got %v", tt.mainJobName, job.Needs)