From 6de85581a1e089cba61638b7792be43e601a7fdd Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 17 Apr 2026 02:57:26 +0000 Subject: [PATCH 1/2] Initial plan From 0848534477f3264b627f3c8118b39cbd12aa960b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Fri, 17 Apr 2026 03:35:19 +0000 Subject: [PATCH 2/2] fix: allow single string values for on.roles Agent-Logs-Url: https://github.com/github/gh-aw/sessions/f5382026-a67a-4085-bc57-1668bc13cead Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../src/content/docs/reference/frontmatter.md | 2 + pkg/parser/schemas/main_workflow_schema.json | 4 +- pkg/workflow/role_checks_test.go | 37 +++++++++++++++++++ 3 files changed, 41 insertions(+), 2 deletions(-) diff --git a/docs/src/content/docs/reference/frontmatter.md b/docs/src/content/docs/reference/frontmatter.md index 989896e7e06..fbf74ef1f48 100644 --- a/docs/src/content/docs/reference/frontmatter.md +++ b/docs/src/content/docs/reference/frontmatter.md @@ -237,6 +237,8 @@ on: roles: all # Allow any user (⚠️ use with caution) ``` +You can also use a single role string, for example `roles: write`. + Available roles: `admin`, `maintainer`/`maintain`, `write`, `triage`, `read`, `all`. Workflows with unsafe triggers (`push`, `issues`, `pull_request`) automatically enforce permission checks. Failed checks cancel the workflow with a warning. > [!TIP] diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index c95a4617a58..4dd15e0dabd 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -1840,8 +1840,8 @@ "oneOf": [ { "type": "string", - "enum": ["all"], - "description": "Allow any authenticated user to trigger the workflow (\u26a0\ufe0f disables permission checking entirely - use with caution)" + "enum": ["admin", "maintainer", "maintain", "write", "triage", "read", "all"], + "description": "Single repository permission level that can trigger the workflow. Use 'all' to allow any authenticated user (\u26a0\ufe0f disables permission checking entirely - use with caution)" }, { "type": "array", diff --git a/pkg/workflow/role_checks_test.go b/pkg/workflow/role_checks_test.go index f78264989bf..1c5275f6588 100644 --- a/pkg/workflow/role_checks_test.go +++ b/pkg/workflow/role_checks_test.go @@ -148,6 +148,43 @@ Test that role membership check uses GITHUB_TOKEN with bots.` } } +func TestRoleMembershipSupportsSingleRoleString(t *testing.T) { + tmpDir := testutil.TempDir(t, "role-membership-single-role-string-test") + + compiler := NewCompiler() + + frontmatter := `--- +on: + pull_request: + types: [opened] + roles: write +--- + +# Test Workflow +Test that on.roles supports a single string permission value.` + + workflowPath := filepath.Join(tmpDir, "role-membership-single-role-string.md") + err := os.WriteFile(workflowPath, []byte(frontmatter), 0644) + if err != nil { + t.Fatalf("Failed to write workflow file: %v", err) + } + + err = compiler.CompileWorkflow(workflowPath) + if err != nil { + t.Fatalf("Expected workflow with on.roles as a single string to compile successfully: %v", err) + } + + outputPath := filepath.Join(tmpDir, "role-membership-single-role-string.lock.yml") + compiledContent, err := os.ReadFile(outputPath) + if err != nil { + t.Fatalf("Failed to read compiled workflow: %v", err) + } + + compiledStr := string(compiledContent) + assert.Contains(t, compiledStr, "id: check_membership", "Compiled workflow should include membership checks for role-gated triggers") + assert.Contains(t, compiledStr, "write", "Compiled workflow should require the single role provided as a string") +} + func TestInferEventsFromTriggers(t *testing.T) { c := &Compiler{}