fix: remove invalid permission-discussions from GitHub App token fields#25508
Merged
fix: remove invalid permission-discussions from GitHub App token fields#25508
Conversation
The actions/create-github-app-token action does not declare permission-discussions as a supported input in its action.yml (the generated permissions section has permission-team-discussions for org-level team discussions, but not permission-discussions for repository discussions). Passing an unsupported input is silently ignored, so the field had no effect. GitHub App installation tokens inherit the full set of app-installation permissions by default, so discussions access works through the app's own permissions. Update the test to verify permission-discussions is absent and add a new test case in TestConvertPermissionsToAppTokenFields_GitHubAppOnly to document this constraint. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/3b926256-5b9e-401d-9567-b6fab58fd992 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
pelikhan
April 9, 2026 15:51
View session
pelikhan
approved these changes
Apr 9, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This PR removes an invalid permission-discussions input from the actions/create-github-app-token minting step generation, and updates tests to ensure the unsupported field is not emitted.
Changes:
- Remove the
PermissionDiscussions→permission-discussionsmapping when generatingactions/create-github-app-tokeninputs. - Update the safe-outputs app workflow test to assert
permission-discussionsis absent while other permission inputs remain. - Add a permissions-validation test case documenting that discussions must not map to
permission-discussions.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/safe_outputs_app_config.go | Stops emitting an unsupported permission-discussions field and documents the omission rationale. |
| pkg/workflow/safe_outputs_app_test.go | Updates assertions to ensure permission-discussions is not present in the generated token mint step. |
| pkg/workflow/github_app_permissions_validation_test.go | Adds coverage that PermissionDiscussions must not generate permission-discussions input fields. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 3
Comment on lines
+264
to
+271
| // Note: PermissionDiscussions ("discussions") is intentionally NOT mapped to "permission-discussions" | ||
| // here. The actions/create-github-app-token action does NOT declare "permission-discussions" as a | ||
| // supported input (see the generated inputs in its action.yml). Passing an unsupported input would | ||
| // be silently ignored, meaning the discussions scope would never be explicitly set. GitHub App | ||
| // installation tokens inherit the full set of app-installation permissions by default, so the token | ||
| // will have discussions access whenever the GitHub App installation itself was granted that permission. | ||
| // Repository-level discussions operations should therefore work without an explicit permission-discussions | ||
| // field. |
There was a problem hiding this comment.
The function-level comment above states this maps all permissions to actions/create-github-app-token permission-* inputs, but PermissionDiscussions is now intentionally excluded. Please update that header comment to reflect this exception so future readers don’t assume discussions will be forwarded like other GitHub Actions scopes.
Suggested change
| // Note: PermissionDiscussions ("discussions") is intentionally NOT mapped to "permission-discussions" | |
| // here. The actions/create-github-app-token action does NOT declare "permission-discussions" as a | |
| // supported input (see the generated inputs in its action.yml). Passing an unsupported input would | |
| // be silently ignored, meaning the discussions scope would never be explicitly set. GitHub App | |
| // installation tokens inherit the full set of app-installation permissions by default, so the token | |
| // will have discussions access whenever the GitHub App installation itself was granted that permission. | |
| // Repository-level discussions operations should therefore work without an explicit permission-discussions | |
| // field. | |
| // Note: this mapper forwards GitHub Actions-compatible permissions to the corresponding | |
| // actions/create-github-app-token "permission-*" inputs, with one intentional exception: | |
| // PermissionDiscussions ("discussions") is NOT mapped to "permission-discussions". | |
| // The actions/create-github-app-token action does NOT declare "permission-discussions" as a | |
| // supported input (see the generated inputs in its action.yml). Passing an unsupported input would | |
| // be silently ignored, meaning the discussions scope would never be explicitly set. GitHub App | |
| // installation tokens inherit the full set of app-installation permissions by default, so the token | |
| // will have discussions access whenever the GitHub App installation itself was granted that permission. | |
| // Repository-level discussions operations should therefore work without an explicit | |
| // permission-discussions field. |
Comment on lines
+264
to
+271
| // Note: PermissionDiscussions ("discussions") is intentionally NOT mapped to "permission-discussions" | ||
| // here. The actions/create-github-app-token action does NOT declare "permission-discussions" as a | ||
| // supported input (see the generated inputs in its action.yml). Passing an unsupported input would | ||
| // be silently ignored, meaning the discussions scope would never be explicitly set. GitHub App | ||
| // installation tokens inherit the full set of app-installation permissions by default, so the token | ||
| // will have discussions access whenever the GitHub App installation itself was granted that permission. | ||
| // Repository-level discussions operations should therefore work without an explicit permission-discussions | ||
| // field. |
There was a problem hiding this comment.
This change drops PermissionDiscussions from the token-mint step while still emitting other permission-* fields (e.g., contents/issues). That creates a mismatch where safe_outputs_permissions.go computes discussions: write for create-discussion, but the minted GitHub App token may not actually be granted discussions access because it’s not part of the explicit permissions list. Consider adjusting the token-minting logic for discussion-requiring workflows (e.g., avoid scoping permissions when discussions is required, or use a supported input mechanism if one exists) to ensure create-discussion can still succeed without always relying on fallback-to-issue.
Comment on lines
+114
to
121
| // TestSafeOutputsAppTokenDiscussionsPermission tests that discussions permission is handled correctly | ||
| // in the GitHub App token minting step. | ||
| // | ||
| // The actions/create-github-app-token action does NOT declare "permission-discussions" as a supported | ||
| // input (its generated action.yml only has "permission-team-discussions" for org-level team discussions). | ||
| // Therefore "permission-discussions" must NOT be emitted in the token mint step — the GitHub App | ||
| // installation token inherits the app's discussion permission from the installation itself. | ||
| func TestSafeOutputsAppTokenDiscussionsPermission(t *testing.T) { |
There was a problem hiding this comment.
The test name TestSafeOutputsAppTokenDiscussionsPermission now primarily asserts that permission-discussions is absent (because it’s not a valid action input). Renaming the test to reflect what it actually verifies would prevent confusion about whether the minted token is expected to include discussions permissions.
Suggested change
| // TestSafeOutputsAppTokenDiscussionsPermission tests that discussions permission is handled correctly | |
| // in the GitHub App token minting step. | |
| // | |
| // The actions/create-github-app-token action does NOT declare "permission-discussions" as a supported | |
| // input (its generated action.yml only has "permission-team-discussions" for org-level team discussions). | |
| // Therefore "permission-discussions" must NOT be emitted in the token mint step — the GitHub App | |
| // installation token inherits the app's discussion permission from the installation itself. | |
| func TestSafeOutputsAppTokenDiscussionsPermission(t *testing.T) { | |
| // TestSafeOutputsAppTokenOmitsUnsupportedDiscussionsPermissionInput tests that the unsupported | |
| // "permission-discussions" input is not emitted in the GitHub App token minting step. | |
| // | |
| // The actions/create-github-app-token action does NOT declare "permission-discussions" as a supported | |
| // input (its generated action.yml only has "permission-team-discussions" for org-level team discussions). | |
| // Therefore "permission-discussions" must NOT be emitted in the token mint step — the GitHub App | |
| // installation token inherits the app's discussion permission from the installation itself. | |
| func TestSafeOutputsAppTokenOmitsUnsupportedDiscussionsPermissionInput(t *testing.T) { |
This was referenced Apr 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
convertPermissionsToAppTokenFieldsfunction was incorrectly generatingpermission-discussions: writein theactions/create-github-app-tokentoken minting step. This field is not a declared input in the action'saction.yml.Research
Deep-dive into the GitHub docs confirmed:
discussions: writepermission-discussionsactions/create-github-app-tokeninputaction.ymlThe
actions/create-github-app-tokenaction's# GENERATEDinputs section includespermission-team-discussions(org-level team discussions) but does not includepermission-discussions(repository discussions). Passing an undeclared input is silently ignored by the GitHub Actions runner, so the field had zero practical effect while producing misleading YAML.GitHub App installation tokens inherit the full set of app-installation permissions by default. When explicit
permission-*fields are set, the token is scoped to only those. Sincepermission-discussionswas silently ignored, the token already inherited the app's discussions permission from the installation — the explicit (and invalid) field was redundant.Changes
pkg/workflow/safe_outputs_app_config.go: Remove thepermission-discussionsmapping fromconvertPermissionsToAppTokenFields; add a comment explaining whydiscussionsis intentionally omitted.pkg/workflow/safe_outputs_app_test.go: UpdateTestSafeOutputsAppTokenDiscussionsPermissionto assert thatpermission-discussionsis absent (not a valid action input), and verify that other permissions (permission-contents,permission-issues) remain present.pkg/workflow/github_app_permissions_validation_test.go: Add a test case toTestConvertPermissionsToAppTokenFields_GitHubAppOnlydocumenting thatPermissionDiscussionsmust not produce apermission-discussionsfield.Testing
All workflow package tests pass.