Compiler: auto-grant pull-requests:read to pre_activation for decentralized label_command on pull_request events#44282
Conversation
…ation Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
…d label_command on pull_request events Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
🤖 PR Triage
Score breakdown: Impact 28 + Urgency 18 + Quality 14 Assessment: Fixes silent job-skip when Next step: Author to undraft, confirm CI, then fast-track.
|
There was a problem hiding this comment.
Pull request overview
This PR updates the gh-aw workflow compiler so that workflows using label_command with strategy: decentralized on pull_request events automatically grant pull-requests: read to the compiled pre_activation job, preventing 403s in the PR provenance check and avoiding silent downstream job skips.
Changes:
- Compiler: auto-add
pull-requests: readtopre_activationwhen decentralizedlabel_commandincludespull_request. - Tests: add coverage asserting the generated
pre_activationpermissions containpull-requests: readfor that configuration. - Recompiled multiple generated workflow lock files (including the decentralized label-command workflows noted in the PR description).
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/compiler_pre_activation_job.go | Auto-grants pull-requests: read in pre_activation for decentralized label_command workflows that include pull_request events. |
| pkg/workflow/label_command_test.go | Adds a regression test asserting pre_activation includes pull-requests: read for decentralized label_command with pull_request. |
| .github/workflows/workflow-generator.lock.yml | Recompiled lock file (also contains additional generated step changes). |
| .github/workflows/weekly-safe-outputs-spec-review.lock.yml | Recompiled lock file (also contains additional generated step changes). |
| .github/workflows/weekly-issue-summary.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/weekly-blog-post-writer.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/stale-repo-identifier.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/smoke-copilot.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/smoke-copilot-aoai-entra.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/smoke-copilot-aoai-apikey.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/smoke-agent-scoped-approved.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/smoke-agent-public-none.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/smoke-agent-public-approved.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/smoke-agent-all-none.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/smoke-agent-all-merged.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/skillet.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/security-review.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/scout.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/refiner.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/q.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/pr-triage-agent.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/pr-sous-chef.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/pr-nitpick-reviewer.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/pr-code-quality-reviewer.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/plan.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/org-health-report.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/necromancer.lock.yml | Recompiled lock file (adds pull-requests: read to pre_activation). |
| .github/workflows/mattpocock-skills-reviewer.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/issue-triage-agent.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/issue-monster.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/issue-arborist.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/impeccable-skills-reviewer.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/grumpy-reviewer.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/discussion-task-miner.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/dev.lock.yml | Recompiled lock file (adds pull-requests: read to pre_activation). |
| .github/workflows/dataflow-pr-discussion-dataset.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/daily-team-status.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/daily-issues-report.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/daily-doc-updater.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/daily-agent-of-the-day-blog-writer.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/contribution-check.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/cloclo.lock.yml | Recompiled lock file (adds pull-requests: read to pre_activation). |
| .github/workflows/ci-doctor.lock.yml | Recompiled lock file (adds pull-requests: read to pre_activation). |
| .github/workflows/auto-triage-issues.lock.yml | Recompiled lock file (generated content updates). |
| .github/workflows/approach-validator.lock.yml | Recompiled lock file (adds pull-requests: read to pre_activation). |
| .github/workflows/ai-moderator.lock.yml | Recompiled lock file (generated content updates). |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 46/46 changed files
- Comments generated: 2
- Review effort level: Low
| - name: Install AWF binary | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless | ||
| - name: Determine automatic lockdown mode for GitHub MCP Server | ||
| id: determine-automatic-lockdown | ||
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) | ||
| env: | ||
| GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} | ||
| GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} | ||
| GH_AW_GITHUB_MIN_INTEGRITY: 'approved' | ||
| with: | ||
| script: | | ||
| const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); | ||
| await determineAutomaticLockdown(github, context, core); | ||
| - name: Parse integrity filter lists |
| - name: Install AWF binary | ||
| run: bash "${RUNNER_TEMP}/gh-aw/actions/install_awf_binary.sh" v0.27.27 --rootless | ||
| - name: Determine automatic lockdown mode for GitHub MCP Server | ||
| id: determine-automatic-lockdown | ||
| uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0 (source v9) | ||
| env: | ||
| GH_AW_GITHUB_TOKEN: ${{ secrets.GH_AW_GITHUB_TOKEN }} | ||
| GH_AW_GITHUB_MCP_SERVER_TOKEN: ${{ secrets.GH_AW_GITHUB_MCP_SERVER_TOKEN }} | ||
| GH_AW_GITHUB_MIN_INTEGRITY: 'approved' | ||
| with: | ||
| script: | | ||
| const determineAutomaticLockdown = require('${{ runner.temp }}/gh-aw/actions/determine_automatic_lockdown.cjs'); | ||
| await determineAutomaticLockdown(github, context, core); | ||
| - name: Parse integrity filter lists |
|
@copilot run pr-finisher skill |
… step Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Fixed in 71c7e85. The reviewer-flagged issue (missing |
|
🎉 This pull request is included in a new release. Release: |
When
label_commandusesstrategy: decentralizedwithpull_requestevents, the compiledpre_activationjob inherited the workflow-levelpermissions: {}(empty), causingcheck_membership.cjsto receive HTTP 403 onGET /repos/{owner}/{repo}/pulls/{number}— the call it makes to verify PR provenance. This silently skipped all downstream jobs.Changes
pkg/workflow/compiler_pre_activation_job.go— InbuildPreActivationPermissions, auto-setpull-requests: readwhenLabelCommandDecentralizedis true and the effective label command events includepull_request(covers both explicitevents: [pull_request]and the default all-events case).pkg/workflow/label_command_test.go— AddedTestLabelCommandDecentralizedPreActivationPullRequestsReadPermissionasserting the generatedpre_activationjob containspull-requests: readfor the affected configuration.5 workflow lock files recompiled —
ci-doctor,approach-validator,cloclo,dev,necromancer(all use decentralized label_command with pull_request events).Before / After
The existing workaround (
on.permissions: { pull-requests: read }in frontmatter) continues to work — the new auto-grant merges with anyOnPermissionsalready declared.