From 255703aac69e290ddba9949745ae3a6968df5192 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 27 Apr 2026 13:49:56 +0000
Subject: [PATCH 1/2] Initial plan


From 6de50ca0b74fda075222277a1858fa2ca504c89a Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 27 Apr 2026 14:22:38 +0000
Subject: [PATCH 2/2] fix: add contents: read permission to APM job for private
 repo checkout

The APM job in shared/apm.md had permissions: {} which prevented
the 'Checkout workflow lock files' step from working in private repos.
Adding contents: read fixes the 'repository not found' error that
occurs when the GITHUB_TOKEN has only metadata: read scope.

Fixes: shared/apm.md checkout step fails in private caller repos

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/2f08f1a3-912f-4906-ab6f-d74d297d2cd4

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/shared/apm.md         | 3 ++-
 .github/workflows/smoke-claude.lock.yml | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/shared/apm.md b/.github/workflows/shared/apm.md
index 9da9e66d112..cd875eb3360 100644
--- a/.github/workflows/shared/apm.md
+++ b/.github/workflows/shared/apm.md
@@ -32,7 +32,8 @@ jobs:
   apm:
     runs-on: ubuntu-slim
     needs: [activation]
-    permissions: {}
+    permissions:
+      contents: read
     steps:
       - name: Checkout workflow lock files
         uses: actions/checkout@v6.0.2
diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml
index 7999dcb55c1..3806393d1d0 100644
--- a/.github/workflows/smoke-claude.lock.yml
+++ b/.github/workflows/smoke-claude.lock.yml
@@ -2486,7 +2486,7 @@ jobs:
     needs: activation
     runs-on: ubuntu-slim
     permissions:
-      {}
+      contents: read
 
     steps:
       - name: Configure GH_HOST for enterprise compatibility