Skip to content

fix: add pull-requests:write to safe_outputs job for add-comment#18318

Merged
pelikhan merged 3 commits intomainfrom
copilot/fix-safe-outputs-job-permissions
Feb 25, 2026
Merged

fix: add pull-requests:write to safe_outputs job for add-comment#18318
pelikhan merged 3 commits intomainfrom
copilot/fix-safe-outputs-job-permissions

Conversation

Copy link
Contributor

Copilot AI commented Feb 25, 2026
edited
Loading

add-comment can target both issues and pull requests, but the compiler only emitted issues: write — causing "Resource not accessible by integration" when posting comments on PRs.

Changes

  • New issues and pull-requests fields on add-comment — control permission emission and event condition targeting. Both default to true.
  • discussions remains true by default — set discussions: false to opt out if your GitHub App lacks Discussions permission.
  • Dynamic job condition — event trigger condition reflects which target types are enabled (github.event.issue.number || github.event.pull_request.number || github.event.discussion.number).
  • Shared buildAddCommentPermissions() helper — used by both the dedicated add_comment job builder and ComputePermissionsForSafeOutputs.
safe-outputs:
  add-comment:
    max: 3
    # New fields (all optional, all default to true):
    issues: true          # emits issues:write, adds issue event check
    pull-requests: true   # emits pull-requests:write, adds PR event check  
    discussions: true     # emits discussions:write, adds discussion event check

Generated safe_outputs permissions now include pull-requests: write by default:

safe_outputs:
  permissions:
    contents: read
    discussions: write
    issues: write
    pull-requests: write   # was missing before this fix

All 158 workflow lock files recompiled — updated to include pull-requests: write alongside issues: write and discussions: write.

Original prompt

This section details on the original issue you should resolve

<issue_title>gh aw compile does not add pull-requests: write to safe_outputs job when add-comment is configured</issue_title>
<issue_description>## Bug

When a workflow defines safe-outputs: add-comment, gh aw compile generates the safe_outputs job with issues: write but not pull-requests: write. This causes the safe-output to fail with:

Resource not accessible by integration

when the agent tries to post a comment on a pull request.

Repro

Workflow frontmatter:

permissions:
  contents: read
  actions: read
  issues: read
  pull-requests: read

safe-outputs:
  add-comment:
    max: 3

Compiled lock file safe_outputs job permissions:

safe_outputs:
    permissions:
      contents: read
      discussions: write
      issues: write
      # pull-requests: write  <-- MISSING

Expected

The compiler should add pull-requests: write to the safe_outputs job since add-comment can target both issues and pull requests.

Workaround

Manually edit the lock file to add pull-requests: write to the safe_outputs job permissions after compiling.

Example failure

https://github.com/ViktorHofer/msbuild-s1/actions/runs/22392168067 (safe_outputs job, "Process Safe Outputs" step)</issue_description>

Comments on the Issue (you are @copilot in this section)

@pelikhan Add support to disable target types in safe output add-comment.

safe_outputs:
issues: false
pull-requests: false
discussions: false # already exists

Each field controls the emission of the permission field and the ability to target those entities.

Default is issues: true, pull-requests: true, discussions: false

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

This was referenced Feb 25, 2026
Closed
Closed
@pelikhan
Fix: add pull-requests:write to safe_outputs job when add-comment is …
69b0d93 
…configured

- Add Issues and PullRequests fields to AddCommentsConfig struct
- Default: issues=true (issues:write), pull-requests=true (pull-requests:write), discussions=false (no discussions:write)
- Update buildCreateOutputAddCommentJob to use dynamic permissions and conditions
- Add buildAddCommentPermissions helper shared by job builder and permissions calculator
- Update ComputePermissionsForSafeOutputs to use the new helper
- Update JSON schema with issues and pull-requests boolean properties
- Update tests to reflect new default behavior
- Recompile all workflow lock files

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix safe_outputs job permissions for pull-requests fix: add pull-requests:write to safe_outputs job for add-comment Feb 25, 2026
@pelikhan
Copy link
Contributor

pelikhan commented Feb 25, 2026

@copilot enable discussion: true by default

@pelikhan
fix: enable discussions:write by default for add-comment
38ab344 
Change discussions default from false back to true (nil = true).
Now all three target types default to true:
- issues: nil or true → issues:write
- pull-requests: nil or true → pull-requests:write
- discussions: nil or true → discussions:write

Set any field to false to opt out of that permission/event condition.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 25, 2026
edited
Loading

@copilot enable discussion: true by default

Done in 38ab344. discussions now defaults to true — all three target types (issues, pull-requests, discussions) default to enabled. Set any to false to opt out of that permission and event condition.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw gMNAuYbwM68V (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/11bd71901bbe5b1630ceea73d27597364c9af683 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v7
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v7 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/4dc6199c7b1a012772edbd06daecab0f50c9053c --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v6 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build1232127719/b001/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build1232127719/b334/importcfg -embedcfg /tmp/go-build1232127719/b334/embedcfg -pack (http block)
  • https://api.github.com/repos/anchore/sbom-action/git/ref/tags/v0
    • Triggering command: /usr/bin/gh gh api /repos/anchore/sbom-action/git/ref/tags/v0 --jq .object.sha (http block)
  • https://api.github.com/repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b
    • Triggering command: /usr/bin/gh gh api /repos/astral-sh/setup-uv/git/ref/tags/eac588ad8def6316056a12d4907a9d4d84ff7a3b --jq .object.sha (http block)
  • https://api.github.com/repos/docker/build-push-action/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/docker/build-push-action/git/ref/tags/v6 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/metadata-action/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/docker/metadata-action/git/ref/tags/v5 --jq .object.sha (http block)
  • https://api.github.com/repos/docker/setup-buildx-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/setup-buildx-action/git/ref/tags/v3 --jq .object.sha (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/a70c5eada06553e3510ac27f2c3bda9d3705bccb --jq .object.sha (http block)
  • https://api.github.com/repos/githubnext/agentics/git/ref/tags/
    • Triggering command: /usr/bin/gh gh api /repos/githubnext/agentics/git/ref/tags/# --jq .object.sha (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@pelikhan pelikhan marked this pull request as ready for review February 25, 2026 12:28
Copilot AI review requested due to automatic review settings February 25, 2026 12:28
@pelikhan pelikhan merged commit 92baa35 into main Feb 25, 2026
101 of 103 checks passed
@pelikhan pelikhan deleted the copilot/fix-safe-outputs-job-permissions branch February 25, 2026 12:29
Copilot AI reviewed Feb 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes a bug where the compiler only emitted issues: write permission for safe_outputs jobs with add-comment configured, causing "Resource not accessible by integration" errors when posting comments on pull requests.

Changes:

  • Added configurable issues, pull-requests, and discussions fields to the add-comment configuration (all default to true)
  • Created shared buildAddCommentPermissions() helper function used by both the dedicated job builder and ComputePermissionsForSafeOutputs
  • Implemented dynamic event condition building that reflects which target types are enabled

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated no comments.

Show a summary per file
File Description
pkg/workflow/add_comment.go Added new configurable fields (Issues, PullRequests, Discussions), created buildAddCommentPermissions() helper, and updated event condition building logic to be dynamic based on enabled target types
pkg/workflow/safe_outputs_permissions.go Refactored to use the new shared buildAddCommentPermissions() helper instead of inline permission logic
pkg/workflow/safe_outputs_permissions_test.go Added comprehensive test coverage for all permission combinations (default, discussions:true/false, pull-requests:false, issues:false)
pkg/parser/schemas/main_workflow_schema.json Added schema definitions for the three new boolean fields with proper descriptions
.github/workflows/*.lock.yml All 158 workflow lock files recompiled to include pull-requests: write permission in safe_outputs jobs

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 25, 2026

Smoke Test: Gemini Engine Validation

  • GitHub MCP: ✅
  • Web Fetch: ✅
  • File Write: ✅
  • Bash: ✅
  • Build: ❌ (Failed to download go1.25.0: server gave HTTP response to HTTPS client)

Overall Status: FAIL

Smoke Gemini — Powered by Gemini

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

gh aw compile does not add pull-requests: write to safe_outputs job when add-comment is configured

3 participants

@pelikhan