From 533747ead349502274c590d103947a1e5d6ad198 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 15 Apr 2026 00:30:33 +0000
Subject: [PATCH 1/2] Initial plan


From ff0e354941a95db7c170443de1bc39c21f84cfa7 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Wed, 15 Apr 2026 00:48:12 +0000
Subject: [PATCH 2/2] fix: update permission-discussions comment for
 actions/create-github-app-token v3+ support

The `permission-discussions` warning was caused by users using an older version
of actions/create-github-app-token (e.g. v2.2.1) which didn't declare it as a
valid input. The action was pinned to v3.1.1 which properly declares
`permission-discussions`, eliminating the "Unexpected input" warning.

Updated the outdated code comments that incorrectly stated `permission-discussions`
was undeclared, and added a changeset documenting the fix.

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a3eca132-308c-4eaa-baff-d5791d7297c2

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .../patch-fix-permission-discussions-warning.md     |  5 +++++
 pkg/workflow/safe_outputs_app_config.go             | 13 +++++--------
 pkg/workflow/safe_outputs_app_test.go               |  7 +++----
 3 files changed, 13 insertions(+), 12 deletions(-)
 create mode 100644 .changeset/patch-fix-permission-discussions-warning.md

diff --git a/.changeset/patch-fix-permission-discussions-warning.md b/.changeset/patch-fix-permission-discussions-warning.md
new file mode 100644
index 00000000000..907ed717f2d
--- /dev/null
+++ b/.changeset/patch-fix-permission-discussions-warning.md
@@ -0,0 +1,5 @@
+---
+"gh-aw": patch
+---
+
+Fix `permission-discussions` warning from `actions/create-github-app-token`: pin was updated to v3.1.1 which properly declares `permission-discussions` as a valid input, eliminating the "Unexpected input" warning.
diff --git a/pkg/workflow/safe_outputs_app_config.go b/pkg/workflow/safe_outputs_app_config.go
index 06564419f80..2748b422a02 100644
--- a/pkg/workflow/safe_outputs_app_config.go
+++ b/pkg/workflow/safe_outputs_app_config.go
@@ -261,14 +261,11 @@ func convertPermissionsToAppTokenFields(permissions *Permissions) map[string]str
 	if level, ok := permissions.Get(PermissionStatuses); ok {
 		fields["permission-statuses"] = string(level)
 	}
-	// Note: "permission-discussions" is not a declared input in actions/create-github-app-token's action.yml,
-	// but the action reads ALL INPUT_PERMISSION-* env vars via process.env (see lib/get-permissions-from-inputs.js).
-	// GitHub Actions sets INPUT_PERMISSION-DISCUSSIONS for any `with: permission-discussions:` field, so
-	// the value IS forwarded to the GitHub API despite the "Unexpected input" warning.
-	// Crucially, when ANY permission-* input is specified the action scopes the token to ONLY those permissions
-	// (returning undefined → inherit-all only when zero permission-* inputs are present). Since the compiler
-	// always emits other permission-* fields, omitting permission-discussions causes the minted token to
-	// lack discussions access even when the GitHub App installation has that permission.
+	// "permission-discussions" is a declared input in actions/create-github-app-token v3+.
+	// Crucially, when ANY permission-* input is specified the action scopes the token to ONLY those
+	// permissions (returning undefined → inherit-all only when zero permission-* inputs are present).
+	// Since the compiler always emits other permission-* fields, omitting permission-discussions causes
+	// the minted token to lack discussions access even when the GitHub App installation has that permission.
 	if level, ok := permissions.Get(PermissionDiscussions); ok {
 		fields["permission-discussions"] = string(level)
 	}
diff --git a/pkg/workflow/safe_outputs_app_test.go b/pkg/workflow/safe_outputs_app_test.go
index 18e63c5778c..3dc9cb4efaa 100644
--- a/pkg/workflow/safe_outputs_app_test.go
+++ b/pkg/workflow/safe_outputs_app_test.go
@@ -114,10 +114,9 @@ Test workflow without safe outputs.
 // TestSafeOutputsAppTokenDiscussionsPermission tests that discussions permission is included
 // in the GitHub App token minting step when create-discussion is configured.
 //
-// Although actions/create-github-app-token does not declare "permission-discussions" in its action.yml,
-// the action reads ALL INPUT_PERMISSION-* env vars and forwards them to the GitHub API. When any
-// permission-* input is specified, the token is scoped to only those permissions, so omitting
-// permission-discussions would exclude discussions access from the minted token.
+// actions/create-github-app-token v3+ declares "permission-discussions" as a valid input.
+// When any permission-* input is specified, the action scopes the token to ONLY those permissions,
+// so omitting permission-discussions would exclude discussions access from the minted token.
 func TestSafeOutputsAppTokenDiscussionsPermission(t *testing.T) {
 	compiler := NewCompilerWithVersion("1.0.0")