Skip to content

Add actions: read to activation job permissions when hash check API step is emitted#24976

Merged
pelikhan merged 2 commits intomainfrom
copilot/add-actions-read-permission
Apr 7, 2026
Merged

Add actions: read to activation job permissions when hash check API step is emitted#24976
pelikhan merged 2 commits intomainfrom
copilot/add-actions-read-permission

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 6, 2026
edited
Loading

The compiled activation job fails with Error: Resource not accessible by integration because check_workflow_timestamp_api.cjs calls github.rest.actions.getWorkflowRun(), which requires actions: read — a scope absent from the activation job's permissions: block.

Changes

  • pkg/workflow/compiler_activation_job.go: Add actions: read to permsMap whenever !data.StaleCheckDisabled (the default), i.e. whenever the hash check API step is emitted: 
    // Add actions:read permission when the hash check API step is emitted.
// check_workflow_timestamp_api.cjs calls github.rest.actions.getWorkflowRun() which
// requires the actions:read scope.
if !data.StaleCheckDisabled {
    permsMap[PermissionActions] = PermissionRead
}
  • pkg/workflow/task_and_reaction_permissions_test.go: Assert actions: read is present in the activation job permissions block.
  • .github/workflows/*.lock.yml: Recompiled — all activation jobs now include actions: read.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://github.com/api/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 3023-31462/test-git rg/x/oauth2@v0.3rev-parse ache/go/1.25.8/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/link /usr/bin/git flow.test GO111MODULE rtcfg.link /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw scripts/**/*.js /usr/lib/git-cor--show-toplevel infocmp -1 xterm-color git-receive-pack /usr/bin/git --log-level=errogit sh /usr/bin/git git (http block)
  • https://github.com/api/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name /tmp/go-build300-p -trimpath 64/bin/go -p github.com/githu-o -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name extensions.objecGOINSECURE git 64/bin/go --show-toplevel git /usr/bin/git go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://github.com/api/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git _.a GO111MODULE 64/pkg/tool/linu--show-toplevel /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel go /opt/hostedtoolcache/node/24.14.1/x64/bin/node 77/001 GO111MODULE x_amd64/compile /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� github.token x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
  • https://github.com/api/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha ErrorFormatting2374227534/001 origin /usr/bin/git /tmp/go-build300git -trimpath 64/bin/go git init�� -lang=go1.25 s/test.md /tmp/go-build2706496920/b431/sliceutil.test -json GO111MODULE 64/bin/go /tmp/go-build2706496920/b431/sliceutil.test (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha 4120-45727/test-3966757746 git-receive-pack '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch3375676505/001'rev-parse 1/x64/bin/node "prettier" --wrigit git 64/bin/go 1/x64/bin/node -C /tmp/gh-aw-test-runs/20260406-234120-45727/test-1752220068/.github/workflows l /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://github.com/api/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha rtcfg RR0X2oXnN ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x-buildtags env 341/001/stabilit-errorsas DefaultBranchFro-ifaceassert ache/go/1.25.8/x-nilfunc GOINSECURE l/buffer GOMODCACHE ache/go/1.25.8/x-tests (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha xterm-color 64/pkg/tool/linuAdd workflow /usr/bin/git _.a GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git _.a 5-yTJqrnP /opt/hostedtoolc--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/link /usr/bin/git 6496920/b425/repgit pkg/mod/github.crev-parse 6496920/b425/imp--show-toplevel git rev-�� --show-toplevel pLtLQmmiTOziM/EvHVfoXKqPDWup4Av8qb/UKCb3IoroNOI9029NoPl/_4g12Odpconfig /usr/bin/infocmp ry=1 -trimpath Name,createdAt,s--show-toplevel infocmp (http block)
  • https://github.com/api/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha user.name Test User /usr/bin/git -json GO111MODULE x_amd64/compile git init�� GOMODCACHE x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/compile git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha GOMODCACHE resolved$ /usr/bin/git -json 8601/parse.go x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git -json GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git ithub/workflows K4mu/EjXw-bZiDcnrev-parse e/git-upload-pac--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuremote /usr/bin/git athSetup_GorootOgit -trimpath /opt/hostedtoolc--show-toplevel git (http block)
  • https://github.com/api/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build178330724/b239/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/text@v0.35.0/language/coverage.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE y.s env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • https://github.com/api/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha -m Test commit /usr/bin/git 345 GO111MODULE x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /opt/hostedtoolcache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/compile /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --get remote.origin.url /usr/bin/git -json GO111MODULE es/.bin/node git rev-�� --show-toplevel go /usr/bin/git repo3104850282/0git GO111MODULE 64/bin/go git (http block)
  • https://github.com/api/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha user.email test@example.com /usr/bin/git 346 GO111MODULE x_amd64/compile git conf�� user.email test@example.com /usr/bin/git -json GO111MODULE x_amd64/link git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha user.email test@example.com /usr/bin/git -json GO111MODULE ode_modules/.bin--show-toplevel git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • https://github.com/api/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha /tmp/go-build178330724/b142/_pkg_.a -trimpath /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -p golang.org/x/oaurev-parse -lang=go1.24 /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags 1/x64/bin/node -errorsas -ifaceassert -nilfunc 1/x64/bin/node (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha ithub/workflows/audit-workflows.md GOPROXY 621757/b436/vet.cfg GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://github.com/api/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel /usr/lib/git-core/git /usr/bin/git --pack_header=2,git -q /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --git-dir l /usr/bin/gh git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha --show-toplevel git-upload-pack /usr/bin/git /usr/bin/git prettier /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git image:v1.0.0 go /usr/bin/git git (http block)
  • https://github.com/api/repos/github/gh-aw
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw --jq .visibility --show-toplevel 1b0344e1df01c3b5393f388c /opt/hostedtoolcache/node/24.14.1/x64/bin/npm --show-toplevel go /usr/bin/git /opt/hostedtoolcrev-parse inst�� --package-lock-only git r: $owner, name: $name) { hasDiscussionsEnabled } } --show-toplevel go /usr/bin/git git (http block)
  • https://github.com/api/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha user.name Test User /usr/bin/git -json GO111MODULE x_amd64/compile git rev-�� --show-toplevel D8RXanEmFBss /usr/bin/git -json GO111MODULE ache/go/1.25.8/x--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha user.email test@example.com om/org1/repo.git -json GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git ub/workflows GO111MODULE ules/.bin/pretti--show-toplevel git (http block)
  • https://github.com/api/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha EOBK6ELuzyeu-LDGAhfx/EOBK6ELuzyeu-LDGAhfx -dwarf=false /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link go1.25.8 -c=4 -nolocalimports /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link -o /tmp/go-build2706496920/b425/repoutil.test -importcfg /usr/bin/git -s -w -buildmode=exe git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --check **/*.cjs /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet **/*.json --ignore-path ../../../.pretti-v /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags /opt/hostedtoolcache/node/24.14.1/x64/bin/node -errorsas -ifaceassert -nilfunc node (http block)
  • https://github.com/api/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha k/gh-aw/gh-aw/.github/workflows -parallel=4 /usr/lib/git-core/git-upload-pack -run=^Test ./... -short git-upload-pack /tmp�� 64/bin/go sh ache/node/24.14.1/x64/bin/node "prettier" --chegit node 64/bin/go git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --check **/*.cjs /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet ntent.md --ignore-path ../../../.pretti--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -ato�� -bool -buildtags /usr/bin/git -errorsas -ifaceassert -nilfunc git (http block)
  • https://github.com/api/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name @v1.1.3/cpu/arm/arm.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env _.a QyquJZDcH x_amd64/compile GOINSECURE 64 GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 ZW5eqtFbR 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build2706496920/b451/_testmain.go env 3313845585 k1Ubnk-ff x_amd64/compile GOINSECURE age/compact GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE e/git GOINSECURE GOMOD GOMODCACHE e/git env 3 GO111MODULE /opt/hostedtoolcache/node/24.14.1/x64/bin/npx GOINSECURE GOMOD GOMODCACHE npx (http block)
  • https://github.com/api/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env /workflows dAR9m3zY_ 64/pkg/tool/linux_amd64/vet GOINSECURE a20poly1305 GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env _.a m0O72i2Jk x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/node/24.14.1/x64/bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://github.com/api/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env /workflows Hi02xO8a- 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE bug GOMODCACHE 64/pkg/tool/linutest@example.com env _.a k3aRqV4ci 64/pkg/tool/linux_amd64/link GOINSECURE ack GOMODCACHE 64/pkg/tool/linutest@example.com (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD ode-gyp-bin/node--show-toplevel go env -json GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://github.com/api/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name @v1.1.3/cpu/arm64/arm64.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env _.a GO111MODULE x_amd64/link GOINSECURE (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD bis 64/pkg/tool/linutest@example.com env 3313845585 sNGC5r73k ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch3375676505/001' '/tmp/TestParseDefaultBranchFromLsRemoteWithRealGitmaster_branch3375676505/001' ache/node/24.14.1/x64/bin/node GOINSECURE GOMOD GOMODCACHE node (http block)
  • https://github.com/api/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name @v1.1.3/cpu/x86/x86.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env til.go o x_amd64/vet GOINSECURE go-sdk/internal/rev-parse GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 rotocol/go-sdk@v1.4.1/internal/util/net.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD bis 64/pkg/tool/linuTest User env 3313845585 KjIdi_zAe ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE pguts GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE At,event,headBranch,headSha,displayTitle GOINSECURE GOMOD GOMODCACHE e/git env -json GO111MODULE /home/REDACTED/work/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/node =receive GOMOD GOMODCACHE (http block)
  • https://github.com/api/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.4.1/internal/mcpgodebug/mcpgodebug.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env ility-kit.md l_test.go ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD bis 64/src/reflect/asm_wasm.s (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 0/language/coverage.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env _.a bbyq8rTOi 64/pkg/tool/linux_amd64/compile GOINSECURE go-sdk/internal/rev-parse GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE e/git GOINSECURE GOMOD GOMODCACHE e/git estP�� -json tname) /home/REDACTED/work/gh-aw/gh-aw/actions/setup/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE node (http block)
  • https://github.com/api/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name @v1.1.3/cpu/cpu.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env _.a GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE go-sdk/internal/rev-parse bis go (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 rotocol/go-sdk@v1.4.1/internal/jsonrpc2/conn.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env _.a go ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE util GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE e/git GOINSECURE GOMOD GOMODCACHE e/git env -json GO111MODULE /home/REDACTED/work/gh-aw/gh-aw/actions/node_modules/.bin/node GOINSECURE GOMOD GOMODCACHE node (http block)
  • https://github.com/api/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path /tmp/go-build300-p -trimpath 64/bin/go -p github.com/githu-o -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/link env _.a GO111MODULE x_amd64/link GOINSECURE js_wasm.o 64/src/runtime/ruser.email x_amd64/link (http block)
  • https://github.com/api/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel gh-aw.opt.wasm gremote1 /usr/bin/git erate-action-metgit nLaxVxxol 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git 83/001/test-comp/bin/sh RG6vPflge ache/go/1.25.8/xgit-upload-pack 'origin' git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel go /usr/bin/git 4094052780/.githgit GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git 01/main.md GO111MODULE ache/go/1.25.8/xgit-upload-pack 'origin' git (http block)
  • https://github.com/api/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha _.a GO111MODULE x_amd64/compile GOINSECURE obyte GOMODCACHE x_amd64/compile rtcf�� -json 57OuoO-7M ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go 3756�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://github.com/api/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile -w -t security x_amd64/compile -nxv GOWORK 64/bin/go x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://github.com/api/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env lGitmain_branch164817401/001' lGitmain_branch164817401/001' x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE es/.bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://github.com/api/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env Gitmain_branch164817401/001' Gitmain_branch164817401/001' x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env 658397301/001 658397301/002/work 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://github.com/api/repos/githubnext/agentics/git/ref/tags/-
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/- --jq .object.sha --show-toplevel git $name) { hasDiscussionsEnabled } } /tmp/TestGuardPo/usr/bin/gh remote /usr/bin/git git rev-�� --show-toplevel git e/git GOMODCACHE go /usr/bin/git e/git (http block)
  • https://github.com/api/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha edOutput2181617741/001 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD bis 64/pkg/tool/linux_amd64/vet env 83/001/test-simple-frontmatter.md .cfg x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ode_modules/.bin/node GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://github.com/api/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env _.a NG8R67gve ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linurev-parse (http block)
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE node /opt�� licyMinIntegrityOnlymin-integrity_with_explicit_repo1432143766/0remote.origin.url --check /opt/hostedtoolcache/go/1.25.8/x64/bin/go **/*.ts **/*.json --ignore-path go (http block)
  • https://github.com/api/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -importcfg /tmp/go-build2706496920/b410/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo (http block)
  • https://github.com/api/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build2706496920/b396/cli.test /tmp/go-build2706496920/b396/cli.test -test.testlogfile=/tmp/go-build2706496920/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -importcfg /tmp/go-build178330724/b220/importcfg -pack /home/REDACTED/go/pkg/mod/golang.org/x/sys@v0.42.0/cpu/byteorder.go -o /tmp/go-build300-p -trimpath 64/bin/go -p github.com/githu-o -lang=go1.25 go (http block)
    • Triggering command: /tmp/go-build219621757/b396/cli.test /tmp/go-build219621757/b396/cli.test -test.testlogfile=/tmp/go-build219621757/b396/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true --show-toplevel git /usr/bin/git go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://github.com/api/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name /tmp/go-build300-p -trimpath 64/bin/go -p main -lang=go1.25 go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD e_wasm.s go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --porcelain git 64/bin/go --show-toplevel git /usr/bin/git go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 6, 2026 that may be closed by this pull request
[plan] Add actions: read permission to activation job when hash check API step is emitted #24972
Closed
4 tasks
@pelikhan
fix: add actions:read permission to activation job when hash check AP…
aa50846 
…I step is emitted

The check_workflow_timestamp_api.cjs step calls github.rest.actions.getWorkflowRun()
which requires the actions:read permission scope. Since GitHub Actions enforces explicit
permissions when any permissions block is present, we must add actions:read explicitly
to the activation job's permissions when the stale check is enabled (the default).

Fixes: #24949

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/2a5f1d95-d907-48d2-8648-343e1b132671

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add actions: read permission to activation job Add actions: read to activation job permissions when hash check API step is emitted Apr 6, 2026
Copilot AI requested a review from pelikhan April 6, 2026 23:47
@pelikhan pelikhan marked this pull request as ready for review April 7, 2026 00:25
Copilot AI review requested due to automatic review settings April 7, 2026 00:25
@pelikhan pelikhan merged commit d7bd4dc into main Apr 7, 2026
59 of 64 checks passed
@pelikhan pelikhan deleted the copilot/add-actions-read-permission branch April 7, 2026 00:26
Copilot AI reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds the missing actions: read job permission to activation jobs when the stale/hash-check API step (check_workflow_timestamp_api.cjs) is emitted, resolving Resource not accessible by integration errors from github.rest.actions.getWorkflowRun().

Changes:

  • Update activation job permission generation to include actions: read when stale-check is enabled (default).
  • Extend permissions test coverage to assert actions: read is present in activation job permissions.
  • Recompile workflow lock files so activation jobs include actions: read.
Show a summary per file
File Description
pkg/workflow/compiler_activation_job.go Conditionally adds actions: read to activation job permissions when the stale/hash-check GitHub API step is included.
pkg/workflow/task_and_reaction_permissions_test.go Adds assertion that activation job permissions include actions: read.
.github/workflows/workflow-skill-extractor.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/workflow-normalizer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/workflow-health-manager.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/workflow-generator.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/weekly-safe-outputs-spec-review.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/weekly-issue-summary.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/weekly-editors-health-check.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/weekly-blog-post-writer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/video-analyzer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/update-astro.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/unbloat-docs.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/ubuntu-image-analyzer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/typist.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/tidy.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/test-workflow.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/test-project-url-default.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/test-dispatcher.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/test-create-pr-error-handling.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/terminal-stylist.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/technical-doc-writer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/super-linter.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/sub-issue-closer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/step-name-alignment.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/static-analysis-report.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/stale-repo-identifier.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-workflow-call.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-workflow-call-with-inputs.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-update-cross-repo-pr.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-test-tools.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-temporary-id.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-service-ports.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-project.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-multi-pr.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-gemini.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-create-cross-repo-pr.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-copilot.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-copilot-arm.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-codex.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-claude.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-call-workflow.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-agent-scoped-approved.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-agent-public-none.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-agent-public-approved.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-agent-all-none.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/smoke-agent-all-merged.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/slide-deck-maintainer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/sergo.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/semantic-function-refactor.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/security-review.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/security-compliance.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/scout.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/schema-feature-coverage.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/schema-consistency-checker.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/safe-output-health.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/research.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/repository-quality-improver.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/repo-tree-map.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/repo-audit-analyzer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/release.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/refiner.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/q.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/python-data-charts.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/prompt-clustering-analysis.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/pr-triage-agent.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/pr-nitpick-reviewer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/portfolio-analyst.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/poem-bot.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/plan.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/pdf-summary.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/org-health-report.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/notion-issue-summary.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/metrics-collector.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/mergefest.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/mcp-inspector.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/lockfile-stats.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/layout-spec-maintainer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/jsweep.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/issue-triage-agent.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/issue-monster.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/issue-arborist.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/instructions-janitor.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/hourly-ci-cleaner.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/grumpy-reviewer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/gpclean.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/go-pattern-detector.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/go-logger.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/go-fan.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/glossary-maintainer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/github-remote-mcp-auth-test.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/github-mcp-tools-report.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/github-mcp-structural-analysis.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/functional-pragmatist.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/firewall.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/firewall-escape.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/example-workflow-analyzer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/example-permissions-warning.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/duplicate-code-detector.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/draft-pr-cleanup.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/docs-noob-tester.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/discussion-task-miner.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/dictation-prompt.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/developer-docs-consolidator.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/dev.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/dev-hawk.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/dependabot-go-checker.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/dependabot-burner.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/delight.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/deep-report.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/dead-code-remover.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-workflow-updater.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-testify-uber-super-expert.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-team-status.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-team-evolution-insights.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-syntax-error-quality.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-semgrep-scan.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-security-red-team.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-secrets-analysis.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-safe-outputs-conformance.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-safe-output-optimizer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-safe-output-integrator.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-repo-chronicle.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-rendering-scripts-verifier.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-regulatory.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-performance-summary.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-otel-instrumentation-advisor.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-observability-report.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-news.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-multi-device-docs-tester.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-mcp-concurrency-analysis.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-malicious-code-scan.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-issues-report.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-integrity-analysis.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-function-namer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-firewall-report.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-file-diet.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-fact.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-doc-updater.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-doc-healer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-compiler-quality.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-community-attribution.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-code-metrics.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-cli-tools-tester.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-cli-performance.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-choice-test.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-assign-issue-to-user.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/daily-architecture-diagram.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/craft.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/copilot-token-optimizer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/copilot-token-audit.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/copilot-session-insights.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/copilot-pr-prompt-analysis.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/copilot-pr-nlp-analysis.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/copilot-pr-merged-report.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/copilot-cli-deep-research.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/copilot-agent-analysis.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/contribution-check.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/constraint-solving-potd.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/commit-changes-analyzer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/codex-github-remote-mcp-test.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/code-simplifier.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/code-scanning-fixer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/cloclo.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/cli-version-checker.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/cli-consistency-checker.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/claude-code-user-docs-review.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/ci-doctor.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/ci-coach.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/changeset.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/breaking-change-checker.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/brave.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/bot-detection.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/blog-auditor.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/auto-triage-issues.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/audit-workflows.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/artifacts-summary.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/archie.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/api-consumption-report.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/ai-moderator.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/agentic-observability-kit.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/agent-persona-explorer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/agent-performance-analyzer.lock.yml Recompiled activation job now includes actions: read.
.github/workflows/ace-editor.lock.yml Recompiled activation job now includes actions: read.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 184/184 changed files
  • Comments generated: 0

This was referenced Apr 7, 2026
Closed
Closed
Closed
@bbonafed bbonafed mentioned this pull request Apr 10, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Add actions: read permission to activation job when hash check API step is emitted

3 participants

@pelikhan