github · pelikhan · Apr 15, 2026 · Apr 15, 2026 · Apr 15, 2026
diff --git a/.changeset/patch-fix-permission-discussions-warning.md b/.changeset/patch-fix-permission-discussions-warning.md
diff --git a/pkg/workflow/safe_outputs_app_config.go b/pkg/workflow/safe_outputs_app_config.go
@@ -261,14 +261,11 @@ func convertPermissionsToAppTokenFields(permissions *Permissions) map[string]str
 	if level, ok := permissions.Get(PermissionStatuses); ok {
 		fields["permission-statuses"] = string(level)
 	}
-	// Note: "permission-discussions" is not a declared input in actions/create-github-app-token's action.yml,
-	// but the action reads ALL INPUT_PERMISSION-* env vars via process.env (see lib/get-permissions-from-inputs.js).
-	// GitHub Actions sets INPUT_PERMISSION-DISCUSSIONS for any `with: permission-discussions:` field, so
-	// the value IS forwarded to the GitHub API despite the "Unexpected input" warning.
-	// Crucially, when ANY permission-* input is specified the action scopes the token to ONLY those permissions
-	// (returning undefined → inherit-all only when zero permission-* inputs are present). Since the compiler
-	// always emits other permission-* fields, omitting permission-discussions causes the minted token to
-	// lack discussions access even when the GitHub App installation has that permission.
+	// "permission-discussions" is a declared input in actions/create-github-app-token v3+.
+	// Crucially, when ANY permission-* input is specified the action scopes the token to ONLY those
+	// permissions (returning undefined → inherit-all only when zero permission-* inputs are present).
+	// Since the compiler always emits other permission-* fields, omitting permission-discussions causes
+	// the minted token to lack discussions access even when the GitHub App installation has that permission.
 	if level, ok := permissions.Get(PermissionDiscussions); ok {
 		fields["permission-discussions"] = string(level)
 	}

diff --git a/pkg/workflow/safe_outputs_app_test.go b/pkg/workflow/safe_outputs_app_test.go
@@ -114,10 +114,9 @@ Test workflow without safe outputs.
 // TestSafeOutputsAppTokenDiscussionsPermission tests that discussions permission is included
 // in the GitHub App token minting step when create-discussion is configured.
 //
-// Although actions/create-github-app-token does not declare "permission-discussions" in its action.yml,
-// the action reads ALL INPUT_PERMISSION-* env vars and forwards them to the GitHub API. When any
-// permission-* input is specified, the token is scoped to only those permissions, so omitting
-// permission-discussions would exclude discussions access from the minted token.
+// actions/create-github-app-token v3+ declares "permission-discussions" as a valid input.
+// When any permission-* input is specified, the action scopes the token to ONLY those permissions,
+// so omitting permission-discussions would exclude discussions access from the minted token.
 func TestSafeOutputsAppTokenDiscussionsPermission(t *testing.T) {
 	compiler := NewCompilerWithVersion("1.0.0")