From 501ae9e1371620868fbaa1bc72c7c82bb7f5ade5 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 24 Mar 2026 15:55:30 +0000
Subject: [PATCH 1/2] Initial plan


From 718dc5ff62cf11be63a97b09d4a732e35c31c599 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 24 Mar 2026 16:15:14 +0000
Subject: [PATCH 2/2] Fix filterJobLevelPermissions to preserve explicit empty
 permissions: {}

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Agent-Logs-Url: https://github.com/github/gh-aw/sessions/393abbf4-cead-4eef-87e8-c28a0a8c08df
---
 pkg/workflow/permissions_operations.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkg/workflow/permissions_operations.go b/pkg/workflow/permissions_operations.go
index 534ea0e113a..95ec7ffc822 100644
--- a/pkg/workflow/permissions_operations.go
+++ b/pkg/workflow/permissions_operations.go
@@ -42,6 +42,13 @@ func filterJobLevelPermissions(rawPermissionsYAML string) string {
 	filtered := NewPermissionsParser(rawPermissionsYAML).ToPermissions()
 	rendered := filtered.RenderToYAML()
 	if rendered == "" {
+		// If the raw permissions YAML was an explicit empty block (permissions: {}), preserve
+		// it at the job level. Without this check, "permissions: {}" would be silently dropped,
+		// leaving the job without any permissions block and causing it to inherit the workflow-
+		// level permissions instead of having its own explicit empty block.
+		if strings.TrimSpace(rawPermissionsYAML) == "permissions: {}" {
+			return "permissions: {}"
+		}
 		return ""
 	}