From 1d2a44b600630b413297b23283ce8429f4149b29 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Oct 2025 12:17:57 +0000 Subject: [PATCH 1/4] Initial plan From b99e01f4a263763661a31e37d377d426aaeef360 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Oct 2025 12:25:13 +0000 Subject: [PATCH 2/4] Initial exploration - understanding the issue Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../github-agentic-workflows.instructions.md | 32 ++++--------------- 1 file changed, 7 insertions(+), 25 deletions(-) diff --git a/.github/instructions/github-agentic-workflows.instructions.md b/.github/instructions/github-agentic-workflows.instructions.md index e67998560f5..2fd2f0cfd06 100644 --- a/.github/instructions/github-agentic-workflows.instructions.md +++ b/.github/instructions/github-agentic-workflows.instructions.md @@ -36,11 +36,11 @@ The YAML frontmatter supports these fields: ### Core GitHub Actions Fields - **`on:`** - Workflow triggers (required) - - String: `"push"`, `"issues"`, `"workflow_dispatch"`, etc. + - String: `"push"`, `"issues"`, etc. - Object: Complex trigger configuration - Special: `command:` for /mention triggers - **`stop-after:`** - Can be included in the `on:` object to set a deadline for workflow execution. Supports absolute timestamps ("YYYY-MM-DD HH:MM:SS") or relative time deltas (+25h, +3d, +1d12h30m). Uses precise date calculations that account for varying month lengths. - + - **`permissions:`** - GitHub token permissions - Object with permission levels: `read`, `write`, `none` - Available permissions: `contents`, `issues`, `pull-requests`, `discussions`, `actions`, `checks`, `statuses`, `models`, `deployments`, `security-events` @@ -51,12 +51,7 @@ The YAML frontmatter supports these fields: - **`env:`** - Environment variables (object or string) - **`if:`** - Conditional execution expression (string) - **`run-name:`** - Custom workflow run name (string) -- **`name:`** - Workflow name displayed in GitHub Actions interface (string). Defaults to filename without extension if not specified. - - Examples: `"Copilot Agent PR Analysis"`, `"Dev Hawk"`, `"Smoke Claude"` -- **`description:`** - Optional workflow description rendered as a comment in generated `.lock.yml` file (string) - - Example: `"Quickstart for using the GitHub Actions library"` -- **`source:`** - Optional source reference indicating where workflow was added from (string). Format: `owner/repo/path@ref`. Rendered as a comment in generated lock file. - - Examples: `"githubnext/agentics/workflows/ci-doctor.md"`, `"githubnext/agentics/workflows/daily-perf-improver.md@1f181b37d3fe5862ab590648f25a292e345b5de6"` +- **`name:`** - Workflow name (string) - **`steps:`** - Custom workflow steps (object) - **`post-steps:`** - Custom workflow steps to run after AI execution (object) @@ -613,29 +608,16 @@ Import shared components using the `imports:` field in frontmatter: on: issues engine: copilot imports: - - shared/jqschema.md - - shared/reporting.md - - shared/mcp/gh-aw.md + - shared/security-notice.md + - shared/tool-setup.md + - shared/mcp/tavily.md --- ``` -**Additional Examples:** -```yaml -# Import relative to current workflow location -imports: - - ../instructions/documentation.instructions.md - -# Import multiple shared configurations -imports: - - shared/mcp/gh-aw.md - - shared/jqschema.md - - shared/reporting.md -``` - ### Import File Structure Import files are in `.github/workflows/shared/` and can contain: - Tool configurations (frontmatter only) -- Text content +- Text content - Mixed frontmatter + content Example import file with tools: From 9626bbc960108d2395dbce710f7f458cbc36b855 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Oct 2025 12:29:48 +0000 Subject: [PATCH 3/4] Add explicit permissions to 7 workflows Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/daily-news.lock.yml | 10 ++++++++-- .github/workflows/daily-news.md | 5 +++++ .github/workflows/notion-issue-summary.lock.yml | 10 ++++++++-- .github/workflows/notion-issue-summary.md | 4 ++++ .github/workflows/smoke-claude.lock.yml | 8 ++++++-- .github/workflows/smoke-claude.md | 3 +++ .github/workflows/smoke-codex.lock.yml | 8 ++++++-- .github/workflows/smoke-codex.md | 3 +++ .github/workflows/smoke-copilot.firewall.lock.yml | 8 ++++++-- .github/workflows/smoke-copilot.firewall.md | 3 +++ .github/workflows/smoke-copilot.lock.yml | 8 ++++++-- .github/workflows/smoke-copilot.md | 3 +++ .github/workflows/smoke-opencode.lock.yml | 8 ++++++-- .github/workflows/smoke-opencode.md | 3 +++ 14 files changed, 70 insertions(+), 14 deletions(-) diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 3ac48a09774..d1c7a84a9fc 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -31,7 +31,10 @@ name: "Daily News" - cron: 0 9 * * 1-5 workflow_dispatch: null -permissions: read-all +permissions: + actions: read + contents: read + discussions: write concurrency: group: "gh-aw-${{ github.workflow }}" @@ -61,7 +64,10 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: read-all + permissions: + actions: read + contents: read + discussions: write concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: diff --git a/.github/workflows/daily-news.md b/.github/workflows/daily-news.md index 77454d6f8d1..0d79acc5b1a 100644 --- a/.github/workflows/daily-news.md +++ b/.github/workflows/daily-news.md @@ -5,6 +5,11 @@ on: - cron: "0 9 * * 1-5" workflow_dispatch: +permissions: + contents: read + discussions: write + actions: read + engine: copilot network: diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index 68626d59882..e3928af150b 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -26,7 +26,10 @@ name: "Issue Summary to Notion" required: true type: string -permissions: read-all +permissions: + actions: read + contents: read + issues: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -56,7 +59,10 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: read-all + permissions: + actions: read + contents: read + issues: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: diff --git a/.github/workflows/notion-issue-summary.md b/.github/workflows/notion-issue-summary.md index d5dcd378e7b..7dc6475928f 100644 --- a/.github/workflows/notion-issue-summary.md +++ b/.github/workflows/notion-issue-summary.md @@ -6,6 +6,10 @@ on: description: "Issue number to analyze" required: true type: string +permissions: + contents: read + issues: read + actions: read tools: github: imports: diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 118415bda6e..4a4003ad818 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -25,7 +25,9 @@ name: "Smoke Claude" - cron: 0 0,6,12,18 * * * workflow_dispatch: null -permissions: read-all +permissions: + actions: read + contents: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -55,7 +57,9 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: read-all + permissions: + actions: read + contents: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-claude.md b/.github/workflows/smoke-claude.md index c04ffff50f0..fc66531a467 100644 --- a/.github/workflows/smoke-claude.md +++ b/.github/workflows/smoke-claude.md @@ -3,6 +3,9 @@ on: schedule: - cron: "0 0,6,12,18 * * *" # Every 6 hours workflow_dispatch: +permissions: + contents: read + actions: read name: Smoke Claude engine: claude tools: diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 717b9179170..35d1397a31b 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -25,7 +25,9 @@ name: "Smoke Codex" - cron: 0 0,6,12,18 * * * workflow_dispatch: null -permissions: read-all +permissions: + actions: read + contents: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -55,7 +57,9 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: read-all + permissions: + actions: read + contents: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-codex.md b/.github/workflows/smoke-codex.md index dd6a9337e25..492d9531176 100644 --- a/.github/workflows/smoke-codex.md +++ b/.github/workflows/smoke-codex.md @@ -3,6 +3,9 @@ on: schedule: - cron: "0 0,6,12,18 * * *" # Every 6 hours workflow_dispatch: +permissions: + contents: read + actions: read name: Smoke Codex engine: codex tools: diff --git a/.github/workflows/smoke-copilot.firewall.lock.yml b/.github/workflows/smoke-copilot.firewall.lock.yml index 0672c67acce..8129f6e66d6 100644 --- a/.github/workflows/smoke-copilot.firewall.lock.yml +++ b/.github/workflows/smoke-copilot.firewall.lock.yml @@ -25,7 +25,9 @@ name: "Smoke Copilot Firewall" - cron: 0 0,6,12,18 * * * workflow_dispatch: null -permissions: read-all +permissions: + actions: read + contents: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -55,7 +57,9 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: read-all + permissions: + actions: read + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-copilot.firewall.md b/.github/workflows/smoke-copilot.firewall.md index 504c852a539..ea0a6c71da2 100644 --- a/.github/workflows/smoke-copilot.firewall.md +++ b/.github/workflows/smoke-copilot.firewall.md @@ -3,6 +3,9 @@ on: schedule: - cron: "0 0,6,12,18 * * *" # Every 6 hours workflow_dispatch: +permissions: + contents: read + actions: read name: Smoke Copilot Firewall engine: copilot network: diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index e6841a700d8..35cb290b0b9 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -25,7 +25,9 @@ name: "Smoke Copilot" - cron: 0 0,6,12,18 * * * workflow_dispatch: null -permissions: read-all +permissions: + actions: read + contents: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -55,7 +57,9 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: read-all + permissions: + actions: read + contents: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-copilot.md b/.github/workflows/smoke-copilot.md index 7fbae14503a..d7551ea0174 100644 --- a/.github/workflows/smoke-copilot.md +++ b/.github/workflows/smoke-copilot.md @@ -3,6 +3,9 @@ on: schedule: - cron: "0 0,6,12,18 * * *" # Every 6 hours workflow_dispatch: +permissions: + contents: read + actions: read name: Smoke Copilot engine: copilot network: diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index 8cc90292069..112672fc3fc 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -29,7 +29,9 @@ name: "Smoke OpenCode" - cron: 0 0,6,12,18 * * * workflow_dispatch: null -permissions: read-all +permissions: + actions: read + contents: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -59,7 +61,9 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: read-all + permissions: + actions: read + contents: read concurrency: group: "gh-aw-custom-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-opencode.md b/.github/workflows/smoke-opencode.md index fba5d428fa3..e7a7671408f 100644 --- a/.github/workflows/smoke-opencode.md +++ b/.github/workflows/smoke-opencode.md @@ -3,6 +3,9 @@ on: schedule: - cron: "0 0,6,12,18 * * *" # Every 6 hours workflow_dispatch: +permissions: + contents: read + actions: read name: Smoke OpenCode imports: - shared/opencode.md From b9fcf8701885d062133f3d607a790c5e818318f0 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Oct 2025 12:51:07 +0000 Subject: [PATCH 4/4] Add pull-requests: read to smoke workflows and read-all to daily-news Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/daily-news.lock.yml | 10 ++-------- .github/workflows/daily-news.md | 5 +---- .github/workflows/smoke-claude.lock.yml | 2 ++ .github/workflows/smoke-claude.md | 1 + .github/workflows/smoke-codex.lock.yml | 2 ++ .github/workflows/smoke-codex.md | 1 + .github/workflows/smoke-copilot.firewall.lock.yml | 2 ++ .github/workflows/smoke-copilot.firewall.md | 1 + .github/workflows/smoke-copilot.lock.yml | 2 ++ .github/workflows/smoke-copilot.md | 1 + .github/workflows/smoke-opencode.lock.yml | 2 ++ .github/workflows/smoke-opencode.md | 1 + 12 files changed, 18 insertions(+), 12 deletions(-) diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index d1c7a84a9fc..3ac48a09774 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -31,10 +31,7 @@ name: "Daily News" - cron: 0 9 * * 1-5 workflow_dispatch: null -permissions: - actions: read - contents: read - discussions: write +permissions: read-all concurrency: group: "gh-aw-${{ github.workflow }}" @@ -64,10 +61,7 @@ jobs: agent: needs: activation runs-on: ubuntu-latest - permissions: - actions: read - contents: read - discussions: write + permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: diff --git a/.github/workflows/daily-news.md b/.github/workflows/daily-news.md index 0d79acc5b1a..2536c4518d6 100644 --- a/.github/workflows/daily-news.md +++ b/.github/workflows/daily-news.md @@ -5,10 +5,7 @@ on: - cron: "0 9 * * 1-5" workflow_dispatch: -permissions: - contents: read - discussions: write - actions: read +permissions: read-all engine: copilot diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 4a4003ad818..0bf83a4421f 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -28,6 +28,7 @@ name: "Smoke Claude" permissions: actions: read contents: read + pull-requests: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -60,6 +61,7 @@ jobs: permissions: actions: read contents: read + pull-requests: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-claude.md b/.github/workflows/smoke-claude.md index fc66531a467..5026fa4df91 100644 --- a/.github/workflows/smoke-claude.md +++ b/.github/workflows/smoke-claude.md @@ -6,6 +6,7 @@ on: permissions: contents: read actions: read + pull-requests: read name: Smoke Claude engine: claude tools: diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 35d1397a31b..a49e7ca637d 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -28,6 +28,7 @@ name: "Smoke Codex" permissions: actions: read contents: read + pull-requests: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -60,6 +61,7 @@ jobs: permissions: actions: read contents: read + pull-requests: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-codex.md b/.github/workflows/smoke-codex.md index 492d9531176..2022f41284f 100644 --- a/.github/workflows/smoke-codex.md +++ b/.github/workflows/smoke-codex.md @@ -6,6 +6,7 @@ on: permissions: contents: read actions: read + pull-requests: read name: Smoke Codex engine: codex tools: diff --git a/.github/workflows/smoke-copilot.firewall.lock.yml b/.github/workflows/smoke-copilot.firewall.lock.yml index 8129f6e66d6..da37bbf076d 100644 --- a/.github/workflows/smoke-copilot.firewall.lock.yml +++ b/.github/workflows/smoke-copilot.firewall.lock.yml @@ -28,6 +28,7 @@ name: "Smoke Copilot Firewall" permissions: actions: read contents: read + pull-requests: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -60,6 +61,7 @@ jobs: permissions: actions: read contents: read + pull-requests: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-copilot.firewall.md b/.github/workflows/smoke-copilot.firewall.md index ea0a6c71da2..2a2fe380a18 100644 --- a/.github/workflows/smoke-copilot.firewall.md +++ b/.github/workflows/smoke-copilot.firewall.md @@ -6,6 +6,7 @@ on: permissions: contents: read actions: read + pull-requests: read name: Smoke Copilot Firewall engine: copilot network: diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 35cb290b0b9..9a79c6d83e9 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -28,6 +28,7 @@ name: "Smoke Copilot" permissions: actions: read contents: read + pull-requests: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -60,6 +61,7 @@ jobs: permissions: actions: read contents: read + pull-requests: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-copilot.md b/.github/workflows/smoke-copilot.md index d7551ea0174..267121dac6f 100644 --- a/.github/workflows/smoke-copilot.md +++ b/.github/workflows/smoke-copilot.md @@ -6,6 +6,7 @@ on: permissions: contents: read actions: read + pull-requests: read name: Smoke Copilot engine: copilot network: diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index 112672fc3fc..3fd913a6429 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -32,6 +32,7 @@ name: "Smoke OpenCode" permissions: actions: read contents: read + pull-requests: read concurrency: group: "gh-aw-${{ github.workflow }}" @@ -64,6 +65,7 @@ jobs: permissions: actions: read contents: read + pull-requests: read concurrency: group: "gh-aw-custom-${{ github.workflow }}" env: diff --git a/.github/workflows/smoke-opencode.md b/.github/workflows/smoke-opencode.md index e7a7671408f..334c36e930a 100644 --- a/.github/workflows/smoke-opencode.md +++ b/.github/workflows/smoke-opencode.md @@ -6,6 +6,7 @@ on: permissions: contents: read actions: read + pull-requests: read name: Smoke OpenCode imports: - shared/opencode.md