github · pelikhan · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026 · Copilot
diff --git a/docs/src/content/docs/reference/safe-outputs.md b/docs/src/content/docs/reference/safe-outputs.md
@@ -476,6 +476,8 @@ Optionally include `item_url` (GitHub issue URL) to add the issue as the first p
 
 Manages GitHub Projects boards. Requires a write-capable PAT or GitHub App token ([project token authentication](/gh-aw/patterns/project-ops/#project-token-authentication)); default `GITHUB_TOKEN` lacks Projects v2 access. Update-only by default; set `create_if_missing: true` to create boards (requires appropriate token permissions).
 
+When using `github-app`, issue-backed project item resolution also requires `issues: read` on the minted token (in addition to `organization-projects: write`).
-When using `github-app`, issue-backed project item resolution also requires `issues: read` on the minted token (in addition to `organization-projects: write`).
+When using `github-app`, issue-backed project item resolution requires `issues: read` on the minted token (in addition to `organization-projects: write`). This applies to `update-project`, and also to `create-project` when `item_url` is used to resolve an issue into a project item.
-When using `github-app`, issue-backed project item resolution also requires `issues: read` on the minted token (in addition to `organization-projects: write`).
+When using `github-app`, issue-backed project item resolution requires `issues: read` on the minted token (in addition to `organization-projects: write`). This applies to `update-project`, and also to `create-project` when `item_url` is used to resolve an issue into a project item.
+
 ```yaml wrap
 safe-outputs:
   update-project:

diff --git a/pkg/workflow/safe_outputs_app_test.go b/pkg/workflow/safe_outputs_app_test.go
@@ -161,3 +161,44 @@ Test workflow with discussions permission.
 	assert.Contains(t, stepsStr, "permission-contents: read", "GitHub App token should include contents read permission")
 	assert.Contains(t, stepsStr, "permission-issues: write", "GitHub App token should include issues write permission (create-discussion falls back to issue)")
 }
+
+// TestSafeOutputsAppTokenUpdateProjectIssuesReadPermission tests that issues read permission
+// is included in the GitHub App token minting step when update-project is configured.
+func TestSafeOutputsAppTokenUpdateProjectIssuesReadPermission(t *testing.T) {
+	compiler := NewCompiler(WithVersion("1.0.0"))
+
+	markdown := `---
+on: issues
+safe-outputs:
+  update-project:
+    project: "https://github.com/orgs/my-org/projects/1"
+  github-app:
+    app-id: ${{ vars.APP_ID }}
+    private-key: ${{ secrets.APP_PRIVATE_KEY }}
+---
+
+# Test Workflow
+
+Test workflow with update-project permissions.
+`
+
+	tmpDir := t.TempDir()
+	testFile := filepath.Join(tmpDir, "test.md")
+	err := os.WriteFile(testFile, []byte(markdown), 0644)
+	require.NoError(t, err, "Failed to write test file")
+
+	workflowData, err := compiler.ParseWorkflowFile(testFile)
+	require.NoError(t, err, "Failed to parse markdown content")
+	require.NotNil(t, workflowData.SafeOutputs, "SafeOutputs should not be nil")
+	require.NotNil(t, workflowData.SafeOutputs.UpdateProjects, "UpdateProjects should not be nil")
+
+	job, _, err := compiler.buildConsolidatedSafeOutputsJob(workflowData, "main", testFile)
+	require.NoError(t, err, "Failed to build safe_outputs job")
+	require.NotNil(t, job, "Job should not be nil")
+
+	stepsStr := strings.Join(job.Steps, "")
+
+	assert.Contains(t, stepsStr, "permission-organization-projects: write", "GitHub App token should include organization projects write permission")
+	assert.Contains(t, stepsStr, "permission-issues: read", "GitHub App token should include issues read permission for issue-backed project items")
+	assert.Contains(t, stepsStr, "permission-contents: read", "GitHub App token should include contents read permission")
+}
-}
+}
+
+// TestSafeOutputsAppConfigurationCreateProjectWithItemURL tests that create-project with item_url
+// requests issue read permission for GitHub App tokens.
+func TestSafeOutputsAppConfigurationCreateProjectWithItemURL(t *testing.T) {
+	compiler := NewCompiler(WithVersion("1.0.0"))
+
+	markdown := `---
+on: issues
+safe-outputs:
+  create-project:
+    project: "https://github.com/orgs/my-org/projects/1"
+    item_url: "https://github.com/my-org/my-repo/issues/123"
+  github-app:
+    app-id: ${{ vars.APP_ID }}
+    private-key: ${{ secrets.APP_PRIVATE_KEY }}
+---
+
+# Test Workflow
+
+Test workflow with create-project item_url permissions.
+`
+
+	tmpDir := t.TempDir()
+	testFile := filepath.Join(tmpDir, "test.md")
+	err := os.WriteFile(testFile, []byte(markdown), 0644)
+	require.NoError(t, err, "Failed to write test file")
+
+	workflowData, err := compiler.ParseWorkflowFile(testFile)
+	require.NoError(t, err, "Failed to parse markdown content")
+	require.NotNil(t, workflowData.SafeOutputs, "SafeOutputs should not be nil")
+	require.NotNil(t, workflowData.SafeOutputs.CreateProjects, "CreateProjects should not be nil")
+
+	job, _, err := compiler.buildConsolidatedSafeOutputsJob(workflowData, "main", testFile)
+	require.NoError(t, err, "Failed to build safe_outputs job")
+	require.NotNil(t, job, "Job should not be nil")
+
+	stepsStr := strings.Join(job.Steps, "")
+
+	assert.Contains(t, stepsStr, "permission-organization-projects: write", "GitHub App token should include organization projects write permission")
+	assert.Contains(t, stepsStr, "permission-issues: read", "GitHub App token should include issues read permission when create-project resolves an issue from item_url")
+	assert.Contains(t, stepsStr, "permission-contents: read", "GitHub App token should include contents read permission")
+}
-}
+}
+
+// TestSafeOutputsAppConfigurationCreateProjectWithItemURL tests that create-project with item_url
+// requests issue read permission for GitHub App tokens.
+func TestSafeOutputsAppConfigurationCreateProjectWithItemURL(t *testing.T) {
+	compiler := NewCompiler(WithVersion("1.0.0"))
+
+	markdown := `---
+on: issues
+safe-outputs:
+  create-project:
+    project: "https://github.com/orgs/my-org/projects/1"
+    item_url: "https://github.com/my-org/my-repo/issues/123"
+  github-app:
+    app-id: ${{ vars.APP_ID }}
+    private-key: ${{ secrets.APP_PRIVATE_KEY }}
+---
+
+# Test Workflow
+
+Test workflow with create-project item_url permissions.
+`
+
+	tmpDir := t.TempDir()
+	testFile := filepath.Join(tmpDir, "test.md")
+	err := os.WriteFile(testFile, []byte(markdown), 0644)
+	require.NoError(t, err, "Failed to write test file")
+
+	workflowData, err := compiler.ParseWorkflowFile(testFile)
+	require.NoError(t, err, "Failed to parse markdown content")
+	require.NotNil(t, workflowData.SafeOutputs, "SafeOutputs should not be nil")
+	require.NotNil(t, workflowData.SafeOutputs.CreateProjects, "CreateProjects should not be nil")
+
+	job, _, err := compiler.buildConsolidatedSafeOutputsJob(workflowData, "main", testFile)
+	require.NoError(t, err, "Failed to build safe_outputs job")
+	require.NotNil(t, job, "Job should not be nil")
+
+	stepsStr := strings.Join(job.Steps, "")
+
+	assert.Contains(t, stepsStr, "permission-organization-projects: write", "GitHub App token should include organization projects write permission")
+	assert.Contains(t, stepsStr, "permission-issues: read", "GitHub App token should include issues read permission when create-project resolves an issue from item_url")
+	assert.Contains(t, stepsStr, "permission-contents: read", "GitHub App token should include contents read permission")
+}
diff --git a/pkg/workflow/safe_outputs_permissions.go b/pkg/workflow/safe_outputs_permissions.go
@@ -206,6 +206,7 @@ func ComputePermissionsForSafeOutputs(safeOutputs *SafeOutputsConfig) *Permissio
 	if safeOutputs.UpdateProjects != nil && !isHandlerStaged(safeOutputs.Staged, safeOutputs.UpdateProjects.Staged) {
 		safeOutputsPermissionsLog.Print("Adding permissions for update-project")
 		permissions.Merge(NewPermissionsContentsReadProjectsWrite())
+		permissions.Set(PermissionIssues, PermissionRead)
 	}
 	if safeOutputs.CreateProjectStatusUpdates != nil && !isHandlerStaged(safeOutputs.Staged, safeOutputs.CreateProjectStatusUpdates.Staged) {
 		safeOutputsPermissionsLog.Print("Adding permissions for create-project-status-update")

diff --git a/pkg/workflow/safe_outputs_permissions_test.go b/pkg/workflow/safe_outputs_permissions_test.go
@@ -395,6 +395,19 @@ func TestComputePermissionsForSafeOutputs(t *testing.T) {
 				PermissionOrganizationProj: PermissionWrite,
 			},
 		},
+		{
+			name: "update-project requires organization-projects write and issues read",
+			safeOutputs: &SafeOutputsConfig{
+				UpdateProjects: &UpdateProjectConfig{
+					BaseSafeOutputConfig: BaseSafeOutputConfig{Max: strPtr("1")},
+				},
+			},
+			expected: map[PermissionScope]PermissionLevel{
+				PermissionContents:         PermissionRead,
+				PermissionOrganizationProj: PermissionWrite,
+				PermissionIssues:           PermissionRead,
+			},
+		},
 	}
 
 	for _, tt := range tests {