Skip to content

fix: add contents: read to shared APM job for private repo checkout#28738

Merged
pelikhan merged 2 commits intomainfrom
copilot/fix-checkout-step-failure
Apr 27, 2026
Merged

fix: add contents: read to shared APM job for private repo checkout#28738
pelikhan merged 2 commits intomainfrom
copilot/fix-checkout-step-failure

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 27, 2026
edited
Loading

The shared apm job had permissions: {}, causing actions/checkout to fail with a misleading "repository not found" when invoked from a private caller repo — the real problem is an insufficient token scope (metadata: read only).

Change

  • shared/apm.md: permissions: {}permissions: { contents: read } on the apm job so the "Checkout workflow lock files" sparse-checkout step can access private repositories.
-    permissions: {}
+    permissions:
+      contents: read
  • Recompiled lock files to reflect the updated permissions.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw tants_test.go constants.go constants.go ne_c�� tants.go ure_constants.go _constants.go test.go til.go til_test.go ster.go (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw tants_test.go constants.go constants.go ne_c�� tants.go ure_constants.go r: $owner, name: $name) { hasDiscussionsEnabled } } test.go til.go til_test.go ster.go (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json cii.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv /tmp/TestCollectWorkflowFiles_WithImports192476417/001 rev-parse /usr/bin/git fq9m/dOvw0liy9-Zgit GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/xtest@example.com /usr/bin/git 8051/001/stabilinode pkg/mod/github.c/opt/hostedtoolcache/node/24.14.1/x64/bin/npm .cfg git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE deps-dev' to in (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/link /opt/hostedtoolcache/node/24.14.1/x64/bin/node .version=255703agit GO111MODULE x_amd64/vet node ent.�� .md md /usr/lib/git-core/git g_.a GO111MODULE x_amd64/vet /usr/lib/git-core/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� github.event.issue.number go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv 1551-36373/test-822177824/.github/workflows -trimpath ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -p github.com/segme-o -lang=go1.17 ache/go/1.25.8/x-importcfg -uns�� 1551-36373/test--s /tmp/go-build267-w 6772538/b281/vet-buildmode=exe go1.25.8 -c=4 -nolocalimports /opt/hostedtoolc-extld=gcc (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a 6772538/b248/vet\n .cfg git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linumyorg /usr/bin/git K3h-LliZd -trimpath 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git k/gh-aw/gh-aw/.ggit x_amd64/compile /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git user.name Test User /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv faultBranchFromLsRemoteWithRealGitcustom_branch3473053887/001 faultBranchFromLsRemoteWithRealGitcustom_branch3473053887/002/work 1/x64/bin/node -json GO111MODULE 64/bin/go 1/x64/bin/node -ato�� licyMinIntegrityOnlyCompiledOutput4209854421/001 -buildtags ache/go/1.25.8/x64/pkg/tool/linux_amd64/link l -ifaceassert -nilfunc ache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv runs/20260427-141551-36373/test-1746897711 -buildtags ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet l -ifaceassert -nilfunc ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -C 2690158734 config /usr/bin/git remote.origin.urgit GO111MODULE x_amd64/compile git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/link /usr/bin/git 6772538/b424/gitbash -importcfg e/git-receive-pack git rev-�� --show-toplevel (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel resolved$ /usr/bin/git Onlyrepos_only_wbash GO111MODULE /home/node_modules/.bin/node git rev-�� --show-toplevel node /usr/bin/git prettier --check e/git git (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json /context.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json 8601/parse.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE pIDAkxslPM8J env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linu-dwarf=false /usr/bin/gh ortcfg .cfg 64/pkg/tool/linu--show-toplevel gh run download 3 /usr/bin/git test-logs/run-3 t2Bi/LbyKJAzlPTfrev-parse util.test git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git 87/001/test-frongit GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url 64/pkg/tool/linux_amd64/link -json GO111MODULE x_amd64/vet 64/pkg/tool/linux_amd64/link -tes�� kflow.test -test.v=true ortcfg.link -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel _MTp6MbEMxyCK6mNVZ/BJFhKjc8P7XJmahQBiBB/6yb3_MmlJockBUxRsRrp (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linu-tests /usr/bin/git ortcfg .cfg 64/pkg/tool/linu--show-toplevel /usr/bin/git remo�� -v 64/pkg/tool/linustatus /usr/bin/git ithout_min-integgit i2Jk/kxQktkbJrdZrev-parse x_amd64/link git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel -tests /usr/bin/git ath ../../../.prgit GO111MODULE 64/bin/go git -C ons-test3444097855 config /usr/bin/git l GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv -bool -buildtags 1/x64/bin/node -errorsas -ifaceassert -nilfunc 1/x64/bin/node -ato�� -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv 1551-36373/test-1035990584 -test.v=true ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile -C 2690158734 show ache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/compile git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv ons-test3102032035 config /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile remote.origin.urgit GO111MODULE x_amd64/compile /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuowner/test-repo -o /tmp/go-build2676772538/b449/_pkg_.a -trimpath 0"}} -p github.com/githurev-parse -lang=go1.25 /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -bool -buildtags /usr/lib/git-core/git-upload-pack -errorsas -ifaceassert -nilfunc git-upload-pack /tmp�� -stringintconv -tests /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq [.object.sha, .object.type] | @tsv (http block)
  • https://api.github.com/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .default_branch (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv -3417212864/base.md -3417212864/new.md /usr/bin/infocmp d .cfg 64/pkg/tool/linu--show-toplevel infocmp -1 xterm-color 64/pkg/tool/linurev-parse /usr/bin/git y_with_explicit_git eFae/0ahu769BnKYrev-parse 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git mmand -v golangcgit GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --show-toplevel 6772538/b447/_testmain.go /usr/bin/infocmp -json GO111MODULE x_amd64/compile infocmp -1 xterm-color l /tmp/go-build2676772538/b466/typeutil.test -json GO111MODULE x_amd64/vet /tmp/go-build2676772538/b466/typeutil.test (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260427-142153-63538/test-source-field-variant-4179081846/--detach remote /usr/bin/gh -json GO111MODULE 99c8788822b510a3--show-toplevel gh api /repos/test-owner/test-repo/actions/secrets --jq /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go node (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyMinIntegrityOnlyrepos_only_without_min-integ.github/workflows/test.md config /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link remote.origin.urgit @v6.0.2/kind/kinrev-parse x_amd64/compile /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuconfig -o /tmp/go-build2676772538/b450/styles.test -importcfg /usr/bin/git -s -w -buildmode=exe git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv /tmp/TestHashConsistency_GoAndJavaScript2510865687/001/test-frontmatter-with-nested-objects.md go /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go node /tmp�� image:v1.0.0 go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-20 GOMOD GOMODCACHE 64/pkg/tool/linuTest User env ortcfg GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE 8858127/b011/ GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-03-28 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env ortcfg .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE 8858127/b011/ GOMODCACHE 64/pkg/tool/linutest@example.com (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-01-27 GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env LsRemoteWithRealGitmain_branch3315920881/001' LsRemoteWithRealGitmain_branch3315920881/001' 64/pkg/tool/linux_amd64/vet GOINSECURE 8858127/b006/ GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE stants.test GOINSECURE 8858127/b006/asmrev-parse ache/go/1.25.8/x--show-toplevel stants.test 6767�� 2924357028 6772538/b052/vet.cfg .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuorigin (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 go 64/pkg/tool/linux_amd64/compile GOINSECURE g/x/crypto/interconfig GOMODCACHE 64/pkg/tool/linutest@example.com 8858�� 1763110387/.github/workflows oXnN/-5aZqfwMX4HRR0X2oXnN ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name -buildtags /opt/hostedtoolcache/node/24.14.1/x64/bin/node -errorsas -ifaceassert -nilfunc node /tmp�� /tmp/TestHashStability_SameInputSameOutput392784343/001/stability-test.md -tests /opt/hostedtoolcache/node/24.14.1/x64/bin/node h ../../../.pret/usr/bin/git GO111MODULE 64/bin/go node (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE 8858127/b011/memrun ache/go/1.25.8/xlist 64/pkg/tool/linu--json (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 l_test.go 64/pkg/tool/linux_amd64/compile GOINSECURE g/x/crypto/cryptconfig GOMODCACHE 64/pkg/tool/linu^remote\..*\.gh-resolved$ (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name -tests ache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go ache/node/24.14.1/x64/bin/node 9850�� xterm-color go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE 8858127/b011/intconfig ache/go/1.25.8/x--get-regexp 64/pkg/tool/linu^remote\..*\.gh-resolved$ (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE fips140/ed25519 GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name -extld=gcc /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE 64/bin/go node /tmp�� -aw/git/ref/tags/v1.2.3 go bject.type] | @tsv -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name l_test.go .cfg GOINSECURE fips140/ecdsa 8858127/b078/symabis ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet estl�� if [ -f .github/aw/actions-lock.json ]; then \ remote.origin.url flge/CEDVAjFSK2LRG6vPflge k GOSUMDB GOWORK 64/bin/go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE .cfg GOINSECURE g/x/text/secure/rev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet 8858�� 27/001/test-inlined-imports-enabled-with-body-content.md tlhm/8_3rPEEpzk8cu5AAtlhm k GOSUMDB GOWORK 64/bin/go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name -buildtags /usr/lib/git-core/git-upload-pack -errorsas -ifaceassert -nilfunc git-upload-pack /tmp�� -stringintconv -tests /usr/bin/git ted-objects.md GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name rn9z/FXv0oohNOW0KmEF_rn9z util.test GOINSECURE GOMOD GOMODCACHE util.test 6767�� se 6772538/b067/vet.cfg x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 t2Bi/LbyKJAzlPTfrrG8ct2Bi util.test GOINSECURE hpke GOMODCACHE util.test 6767�� se 6772538/b289/vet.cfg .cfg GOSUMDB GOWORK 64/bin/go ache/go/1.25.8/x64/pkg/tool/linu-extld=gcc (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name -test.v=true kflows/test-expires.lock.yml -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel node /tmp�� /tmp/TestHashStability_SameInputSameOutput392784343/001/stability-test.md go /usr/bin/git ted-objects.md GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name -QbQ/h0mDcb4RKnBUHEwN-QbQ 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile -c 27/001/test-frontmatter-with-nested-objects.md IPxV/l55902s4ayDCLJOlIPxV .cfg GOSUMDB util 64/bin/go ache/go/1.25.8/x64/pkg/tool/linuremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 3cxW/IBlaqeSprCJhOYFQ3cxW .cfg GOINSECURE nal/fips140tls GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name -extld=gcc bject.type] | @tsv -json GO111MODULE 64/bin/go git add . l /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name o x_amd64/compile GOINSECURE fips140/ecdh GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 vNkW/MmwpPo_3e3tB-Au8vNkW .cfg GOINSECURE able GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet stat�� 8858127/b081/importcfg o .cfg GOSUMDB GOWORK 64/bin/go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git comm�� -m initial commit /usr/bin/git h ../../../.pretgit GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -json 8601/parse.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE d43tsyO/GfieGwTmuIc_nJx724Nd env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 ntio/asm/cpu/armremote 8858127/b087/symabis 64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
    • Triggering command: /tmp/go-build2676772538/b404/cli.test /tmp/go-build2676772538/b404/cli.test -test.testlogfile=/tmp/go-build2676772538/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /tmp/go-build1996875870/b404/cli.test /tmp/go-build1996875870/b404/cli.test -test.testlogfile=/tmp/go-build1996875870/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git CommaSeparatedCogit 6772538/b399/_terev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu--jq /usr/bin/git 1551-36373/test-ls -importcfg e/git git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git efaultBranchFromgit efaultBranchFromrev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel go /usr/bin/git CompiledOutput11ls GO111MODULE /home/REDACTED/wor/tmp/gh-aw/aw-feature-branch.patch git (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv verutil.test 6772538/b061/vet.cfg ck -p internal/runtimerev-parse -lang=go1.25 1TrQ_zyaDDimeco67z/4P7r8Nx30lqcgshow sRem�� /tmp/go-build1008858127/b158/_pkg_.a 8858127/b250/embedcfg g_.a -p vendor/golang.orrev-parse -lang=go1.25 ache/go/1.25.8/x64/pkg/tool/linuupstream (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv th .prettierignore GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env ub/workflows GO111MODULE 1/x64/lib/node_modules/npm/node_-nilfunc GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json irent.go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env g_.a GO111MODULE x_amd64/vet GOINSECURE bug GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env th .prettierignore GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv ays.md GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env 473053887/001 473053887/002/work x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv iant-4202541529/--detach GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet om_b�� g_.a emplate/v3@v3.0.2/compile.go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv led-with-env-template-expressions-in-body.md GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env Gitcustom_branch3473053887/001' Gitcustom_branch3473053887/001' x_amd64/vet GOINSECURE GOMOD abis x_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env lGitcustom_branch3473053887/001' lGitcustom_branch3473053887/001' x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv json' --ignore-path ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go 0113�� th .prettierignore GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv se 6772538/b059/vet.cfg .cfg -p internal/asan -lang=go1.25 ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv Gitmaster_branch2011341127/001' Gitmaster_branch2011341127/001' x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE Wo/bJFsyISU_LIYuVgol9MA/jtMHmSR1-tests (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE b/gh-aw/pkg/filerev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD sm_wasm.s x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD emclr_wasm.s x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state ache/go/1.25.8/x64/pkg/tool/linu-nilfunc GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu/tmp/go-build2676772538/b115/vet.cfg estl�� se 6772538/b090/vet.cfg .cfg -I /tmp/go-build100api -I ache/go/1.25.8/xrepos/{owner}/{repo}/actions/runs/12345/artifacts (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/test/repo
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 27/001/test-frontmatter-with-arrays.md YknE/_O2drKQQrICaTWjRYknE .cfg - GOWORK 64/bin/go ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch user.name Test User /usr/bin/git b/workflows GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git -json GO111MODULE ache/go/1.25.8/x/tmp/TestCollectWorkflowFiles_SimpleWorkflow3377856466/001 git (http block)
  • invalid.example.invalid
    • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git e/git init�� e/git-receive-pa-b git ode_modules/.bin/git =receive test@example.com--git-dir=/tmp/bare-incremental-WoYt4X /git (dns block)
    • Triggering command: /usr/lib/git-core/git-remote-https /usr/lib/git-core/git-remote-https origin https://invalid.example.invalid/nonexistent-repo.git e/git init�� ndor/bin/git git ode_modules/.bin/git =receive test@example.com--git-dir=/tmp/bare-incremental-1KQ0AD /git (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 27, 2026 that may be closed by this pull request
shared/apm.md checkout step fails in private caller repos with metadata-only token #28672
Closed
@pelikhan
fix: add contents: read permission to APM job for private repo checkout
6de50ca 
The APM job in shared/apm.md had permissions: {} which prevented
the 'Checkout workflow lock files' step from working in private repos.
Adding contents: read fixes the 'repository not found' error that
occurs when the GITHUB_TOKEN has only metadata: read scope.

Fixes: shared/apm.md checkout step fails in private caller repos

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/2f08f1a3-912f-4906-ab6f-d74d297d2cd4

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix checkout step failure in private caller repos fix: add contents: read to shared APM job for private repo checkout Apr 27, 2026
Copilot AI requested a review from pelikhan April 27, 2026 14:25
@pelikhan pelikhan marked this pull request as ready for review April 27, 2026 14:26
Copilot AI review requested due to automatic review settings April 27, 2026 14:26
@pelikhan pelikhan merged commit 8359733 into main Apr 27, 2026
@pelikhan pelikhan deleted the copilot/fix-checkout-step-failure branch April 27, 2026 14:26
Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the shared APM job’s GitHub token permissions so actions/checkout can successfully read from private caller repositories (avoiding the misleading “repository not found” error caused by permissions: {}).

Changes:

  • Set the shared apm job permissions to contents: read (instead of {}).
  • Regenerated the compiled/locked workflow output to reflect the permission change.
Show a summary per file
File Description
.github/workflows/shared/apm.md Grants contents: read to the apm job so its checkout step can read workflow lock files in private repos.
.github/workflows/smoke-claude.lock.yml Updates the compiled lock file to include the new apm job permissions.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 0

@github-actions github-actions Bot mentioned this pull request Apr 27, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@pelikhan pelikhan pelikhan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

shared/apm.md checkout step fails in private caller repos with metadata-only token

3 participants

@pelikhan