Skip to content

Compiler: auto-grant pull-requests:read to pre_activation for decentralized label_command on pull_request events#44282

Merged
pelikhan merged 5 commits into
mainfrom
copilot/fix-pull-requests-permissions
Jul 8, 2026
Merged

Compiler: auto-grant pull-requests:read to pre_activation for decentralized label_command on pull_request events#44282
pelikhan merged 5 commits into
mainfrom
copilot/fix-pull-requests-permissions

Conversation

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

When label_command uses strategy: decentralized with pull_request events, the compiled pre_activation job inherited the workflow-level permissions: {} (empty), causing check_membership.cjs to receive HTTP 403 on GET /repos/{owner}/{repo}/pulls/{number} — the call it makes to verify PR provenance. This silently skipped all downstream jobs.

Changes

  • pkg/workflow/compiler_pre_activation_job.go — In buildPreActivationPermissions, auto-set pull-requests: read when LabelCommandDecentralized is true and the effective label command events include pull_request (covers both explicit events: [pull_request] and the default all-events case).

  • pkg/workflow/label_command_test.go — Added TestLabelCommandDecentralizedPreActivationPullRequestsReadPermission asserting the generated pre_activation job contains pull-requests: read for the affected configuration.

  • 5 workflow lock files recompiledci-doctor, approach-validator, cloclo, dev, necromancer (all use decentralized label_command with pull_request events).

Before / After

# Before — pre_activation job had no permissions block
pre_activation:
  runs-on: ubuntu-slim
  # (no permissions:)

# After
pre_activation:
  runs-on: ubuntu-slim
  permissions:
    pull-requests: read

The existing workaround (on.permissions: { pull-requests: read } in frontmatter) continues to work — the new auto-grant merges with any OnPermissions already declared.

Copilot AI and others added 2 commits July 8, 2026 12:12
…ation

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…d label_command on pull_request events

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix compiler to auto-grant pull-requests:read for pre_activation job Compiler: auto-grant pull-requests:read to pre_activation for decentralized label_command on pull_request events Jul 8, 2026
Copilot AI requested a review from pelikhan July 8, 2026 12:24
@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category bug
Risk 🟡 medium
Score 60 / 100
Recommended action fast_track

Score breakdown: Impact 28 + Urgency 18 + Quality 14

Assessment: Fixes silent job-skip when label_command: decentralized is used on pull_request events — 403 on GET /pulls/{number} caused all downstream jobs to silently not run. Targeted compiler fix + test. Draft — needs undraft.

Next step: Author to undraft, confirm CI, then fast-track.

Generated by 🔧 PR Triage Agent · 64.6 AIC · ⌖ 20.4 AIC · ⊞ 5.4K ·

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the gh-aw workflow compiler so that workflows using label_command with strategy: decentralized on pull_request events automatically grant pull-requests: read to the compiled pre_activation job, preventing 403s in the PR provenance check and avoiding silent downstream job skips.

Changes:

  • Compiler: auto-add pull-requests: read to pre_activation when decentralized label_command includes pull_request.
  • Tests: add coverage asserting the generated pre_activation permissions contain pull-requests: read for that configuration.
  • Recompiled multiple generated workflow lock files (including the decentralized label-command workflows noted in the PR description).
Show a summary per file
File Description
pkg/workflow/compiler_pre_activation_job.go Auto-grants pull-requests: read in pre_activation for decentralized label_command workflows that include pull_request events.
pkg/workflow/label_command_test.go Adds a regression test asserting pre_activation includes pull-requests: read for decentralized label_command with pull_request.
.github/workflows/workflow-generator.lock.yml Recompiled lock file (also contains additional generated step changes).
.github/workflows/weekly-safe-outputs-spec-review.lock.yml Recompiled lock file (also contains additional generated step changes).
.github/workflows/weekly-issue-summary.lock.yml Recompiled lock file (generated content updates).
.github/workflows/weekly-blog-post-writer.lock.yml Recompiled lock file (generated content updates).
.github/workflows/stale-repo-identifier.lock.yml Recompiled lock file (generated content updates).
.github/workflows/smoke-copilot.lock.yml Recompiled lock file (generated content updates).
.github/workflows/smoke-copilot-aoai-entra.lock.yml Recompiled lock file (generated content updates).
.github/workflows/smoke-copilot-aoai-apikey.lock.yml Recompiled lock file (generated content updates).
.github/workflows/smoke-agent-scoped-approved.lock.yml Recompiled lock file (generated content updates).
.github/workflows/smoke-agent-public-none.lock.yml Recompiled lock file (generated content updates).
.github/workflows/smoke-agent-public-approved.lock.yml Recompiled lock file (generated content updates).
.github/workflows/smoke-agent-all-none.lock.yml Recompiled lock file (generated content updates).
.github/workflows/smoke-agent-all-merged.lock.yml Recompiled lock file (generated content updates).
.github/workflows/skillet.lock.yml Recompiled lock file (generated content updates).
.github/workflows/security-review.lock.yml Recompiled lock file (generated content updates).
.github/workflows/scout.lock.yml Recompiled lock file (generated content updates).
.github/workflows/refiner.lock.yml Recompiled lock file (generated content updates).
.github/workflows/q.lock.yml Recompiled lock file (generated content updates).
.github/workflows/pr-triage-agent.lock.yml Recompiled lock file (generated content updates).
.github/workflows/pr-sous-chef.lock.yml Recompiled lock file (generated content updates).
.github/workflows/pr-nitpick-reviewer.lock.yml Recompiled lock file (generated content updates).
.github/workflows/pr-code-quality-reviewer.lock.yml Recompiled lock file (generated content updates).
.github/workflows/plan.lock.yml Recompiled lock file (generated content updates).
.github/workflows/org-health-report.lock.yml Recompiled lock file (generated content updates).
.github/workflows/necromancer.lock.yml Recompiled lock file (adds pull-requests: read to pre_activation).
.github/workflows/mattpocock-skills-reviewer.lock.yml Recompiled lock file (generated content updates).
.github/workflows/issue-triage-agent.lock.yml Recompiled lock file (generated content updates).
.github/workflows/issue-monster.lock.yml Recompiled lock file (generated content updates).
.github/workflows/issue-arborist.lock.yml Recompiled lock file (generated content updates).
.github/workflows/impeccable-skills-reviewer.lock.yml Recompiled lock file (generated content updates).
.github/workflows/grumpy-reviewer.lock.yml Recompiled lock file (generated content updates).
.github/workflows/discussion-task-miner.lock.yml Recompiled lock file (generated content updates).
.github/workflows/dev.lock.yml Recompiled lock file (adds pull-requests: read to pre_activation).
.github/workflows/dataflow-pr-discussion-dataset.lock.yml Recompiled lock file (generated content updates).
.github/workflows/daily-team-status.lock.yml Recompiled lock file (generated content updates).
.github/workflows/daily-issues-report.lock.yml Recompiled lock file (generated content updates).
.github/workflows/daily-doc-updater.lock.yml Recompiled lock file (generated content updates).
.github/workflows/daily-agent-of-the-day-blog-writer.lock.yml Recompiled lock file (generated content updates).
.github/workflows/contribution-check.lock.yml Recompiled lock file (generated content updates).
.github/workflows/cloclo.lock.yml Recompiled lock file (adds pull-requests: read to pre_activation).
.github/workflows/ci-doctor.lock.yml Recompiled lock file (adds pull-requests: read to pre_activation).
.github/workflows/auto-triage-issues.lock.yml Recompiled lock file (generated content updates).
.github/workflows/approach-validator.lock.yml Recompiled lock file (adds pull-requests: read to pre_activation).
.github/workflows/ai-moderator.lock.yml Recompiled lock file (generated content updates).

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 46/46 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment on lines 546 to 548
- name: Install AWF binary
run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless
- name: Determine automatic lockdown mode for GitHub MCP Server
id: determine-automatic-lockdown
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9)
env:
GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
GH_AW_GITHUB_MIN_INTEGRITY: 'approved'
with:
script: |
const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- name: Parse integrity filter lists
Comment on lines 512 to 514
- name: Install AWF binary
run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless
- name: Determine automatic lockdown mode for GitHub MCP Server
id: determine-automatic-lockdown
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9)
env:
GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }}
GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }}
GH_AW_GITHUB_MIN_INTEGRITY: 'approved'
with:
script: |
const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs');
await determineAutomaticLockdown(github, context, core);
- name: Parse integrity filter lists
@pelikhan

pelikhan commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

@copilot run pr-finisher skill

… step

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

@copilot run pr-finisher skill

Fixed in 71c7e85. The reviewer-flagged issue (missing determine-automatic-lockdown step referenced in workflow-generator.lock.yml and weekly-safe-outputs-spec-review.lock.yml) was caused by those lock files being compiled with an older compiler version that didn't yet emit that step. Running make recompile after the merge from main (which updated compiler_github_mcp_steps.go) regenerated all 39 affected lock files with the step correctly in place. Local validation passes: make fmt, make test-unit, and make agent-report-progress all green.

@pelikhan pelikhan merged commit b3a396d into main Jul 8, 2026
29 checks passed
@pelikhan pelikhan deleted the copilot/fix-pull-requests-permissions branch July 8, 2026 13:59
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.7

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Compiler should auto-grant pull-requests:read to pre_activation for decentralized label_command on pull_request events

3 participants