From 314975d9457595d086a5a8464d6a936a7319f7d8 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Sun, 22 Mar 2026 04:25:49 +0000 Subject: [PATCH] docs: remove stale plugins: field and add dependabot toolset permissions - Remove the deprecated `plugins:` field from frontmatter-full.md. The field was removed from the schema in #22156 in favor of `dependencies:` + Microsoft APM. - Update github-tools.md PAT permissions guide to list `security-events` for the dependabot, code_security, secret_protection, and security_advisories toolsets, and add a note that the `dependabot` toolset additionally requires the `vulnerability-alerts` GitHub App permission (added in #22144). Co-Authored-By: Claude Sonnet 4.6 --- .../docs/reference/frontmatter-full.md | 25 ------------------- .../content/docs/reference/github-tools.md | 4 +++ 2 files changed, 4 insertions(+), 25 deletions(-) diff --git a/docs/src/content/docs/reference/frontmatter-full.md b/docs/src/content/docs/reference/frontmatter-full.md index 03fa19f7123..d2ff3cc23b2 100644 --- a/docs/src/content/docs/reference/frontmatter-full.md +++ b/docs/src/content/docs/reference/frontmatter-full.md @@ -1277,31 +1277,6 @@ sandbox: # (optional) domain: "localhost" -# ⚠️ EXPERIMENTAL: Plugin configuration for installing plugins before workflow -# execution. Supports array format (list of repos/plugin configs) and object -# format (repos + custom token). Note: Plugin support is experimental and may -# change in future releases. -# (optional) -# This field supports multiple formats (oneOf): - -# Option 1: List of plugins to install. Each item can be either a repository slug -# string (e.g., 'org/repo') or an object with id and optional MCP configuration. -plugins: [] - # Array items: undefined - -# Option 2: Plugin configuration with custom GitHub token. Repos can be either -# strings or objects with MCP configuration. -plugins: - # List of plugins to install. Each item can be either a repository slug string or - # an object with id and optional MCP configuration. - repos: [] - - # Custom GitHub token expression to use for plugin installation. Overrides the - # default cascading token resolution (GH_AW_PLUGINS_TOKEN -> GH_AW_GITHUB_TOKEN -> - # GITHUB_TOKEN). - # (optional) - github-token: "${{ secrets.GITHUB_TOKEN }}" - # Conditional execution expression # (optional) if: "example-value" diff --git a/docs/src/content/docs/reference/github-tools.md b/docs/src/content/docs/reference/github-tools.md index e7755050d77..76a11b8473c 100644 --- a/docs/src/content/docs/reference/github-tools.md +++ b/docs/src/content/docs/reference/github-tools.md @@ -218,9 +218,13 @@ If additional authentication is required, one way is to create a fine-grained PA - Issues: Read (for toolset: issues) - Pull requests: Read (for toolset: pull_requests) - Projects: Read (for toolset: projects) + - Security Events: Read (for toolset: dependabot, code_security, secret_protection, security_advisories) - Lockdown mode: no additional permissions required - Remote mode: no additional permissions required - Adjust based on the toolsets you configure in your workflow + + > [!NOTE] + > The `dependabot` toolset also requires the `vulnerability-alerts` GitHub App permission. If you are using a GitHub App (rather than a PAT), add `vulnerability-alerts: read` to your workflow's `permissions:` field and ensure the GitHub App is configured with this permission. See [GitHub App-Only Permissions](/gh-aw/reference/permissions/#github-app-only-permissions). - **Organization permissions** (if accessing org-level info): - Members: Read (for org member info in context) - Teams: Read (for team info in context)