From b4481eb06dbe376481aef9b5cc817b70b6a1477a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Oct 2025 23:37:55 +0000 Subject: [PATCH 1/3] Initial plan From fcda0a03f5f05ba0cdfdc62d7ed1afd8d08c1da7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 27 Oct 2025 23:52:58 +0000 Subject: [PATCH 2/3] Update detection job permissions to minimal (metadata read only) Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/artifacts-summary.lock.yml | 1 - .github/workflows/audit-workflows.lock.yml | 1 - .github/workflows/blog-auditor.lock.yml | 1 - .github/workflows/brave.lock.yml | 1 - .github/workflows/changeset-generator.firewall.lock.yml | 1 - .github/workflows/ci-doctor.lock.yml | 1 - .github/workflows/cli-version-checker.lock.yml | 1 - .github/workflows/commit-changes-analyzer.lock.yml | 1 - .github/workflows/copilot-agent-analysis.lock.yml | 1 - .github/workflows/daily-doc-updater.lock.yml | 1 - .github/workflows/daily-firewall-report.lock.yml | 1 - .github/workflows/daily-news.lock.yml | 1 - .github/workflows/daily-perf-improver.lock.yml | 1 - .github/workflows/daily-repo-chronicle.lock.yml | 1 - .github/workflows/daily-test-improver.lock.yml | 1 - .github/workflows/dev-hawk.lock.yml | 1 - .github/workflows/dev.lock.yml | 1 - .github/workflows/dictation-prompt.lock.yml | 1 - .github/workflows/duplicate-code-detector.lock.yml | 1 - .github/workflows/example-workflow-analyzer.lock.yml | 1 - .github/workflows/github-mcp-tools-report.lock.yml | 1 - .github/workflows/go-logger.lock.yml | 1 - .github/workflows/go-pattern-detector.lock.yml | 1 - .github/workflows/instructions-janitor.lock.yml | 1 - .github/workflows/issue-classifier.lock.yml | 1 - .github/workflows/lockfile-stats.lock.yml | 1 - .github/workflows/mcp-inspector.lock.yml | 1 - .github/workflows/mergefest.lock.yml | 1 - .github/workflows/pdf-summary.lock.yml | 1 - .github/workflows/plan.lock.yml | 1 - .github/workflows/poem-bot.lock.yml | 1 - .github/workflows/q.lock.yml | 1 - .github/workflows/repo-tree-map.lock.yml | 1 - .github/workflows/research.lock.yml | 1 - .github/workflows/safe-output-health.lock.yml | 1 - .github/workflows/schema-consistency-checker.lock.yml | 1 - .github/workflows/scout.lock.yml | 1 - .github/workflows/security-fix-pr.lock.yml | 1 - .github/workflows/semantic-function-refactor.lock.yml | 1 - .github/workflows/smoke-claude.lock.yml | 1 - .github/workflows/smoke-codex.lock.yml | 1 - .github/workflows/smoke-copilot.firewall.lock.yml | 1 - .github/workflows/smoke-copilot.lock.yml | 1 - .github/workflows/smoke-detector.lock.yml | 1 - .github/workflows/smoke-opencode.lock.yml | 1 - .github/workflows/technical-doc-writer.lock.yml | 1 - .github/workflows/tidy.lock.yml | 1 - .github/workflows/unbloat-docs.lock.yml | 1 - .github/workflows/video-analyzer.lock.yml | 1 - .github/workflows/weekly-issue-summary.lock.yml | 1 - pkg/workflow/threat_detection.go | 2 +- pkg/workflow/threat_detection_test.go | 4 ++-- 52 files changed, 3 insertions(+), 53 deletions(-) diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index b344c4985d0..5209c0dbbc4 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -4040,7 +4040,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index 0a086c25f19..b7d4ffccb65 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -3695,7 +3695,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 24280a8af0d..4670481804d 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -3604,7 +3604,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 73c27140436..6bc229ad322 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -4299,7 +4299,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/changeset-generator.firewall.lock.yml b/.github/workflows/changeset-generator.firewall.lock.yml index 12f7920e508..7174d181f0c 100644 --- a/.github/workflows/changeset-generator.firewall.lock.yml +++ b/.github/workflows/changeset-generator.firewall.lock.yml @@ -4465,7 +4465,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index d99d5eab0d2..f99fd780e9f 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -4175,7 +4175,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index dae9b80635c..20b0cd041bd 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -3894,7 +3894,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 788fe065b06..4654dd7fcb2 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -3461,7 +3461,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index 3738a69d242..ccce2898777 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -3791,7 +3791,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index d0983bae509..98af491eaf5 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -3811,7 +3811,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index 8670ee2d465..ef350452428 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -3621,7 +3621,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 3314b262d4f..576358ed016 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -4167,7 +4167,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-perf-improver.lock.yml b/.github/workflows/daily-perf-improver.lock.yml index 483aaa73e33..fb6371e17de 100644 --- a/.github/workflows/daily-perf-improver.lock.yml +++ b/.github/workflows/daily-perf-improver.lock.yml @@ -4720,7 +4720,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index 494976139fc..c94eec87782 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -3964,7 +3964,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-test-improver.lock.yml b/.github/workflows/daily-test-improver.lock.yml index d76d6eba3db..7d6394057a4 100644 --- a/.github/workflows/daily-test-improver.lock.yml +++ b/.github/workflows/daily-test-improver.lock.yml @@ -4694,7 +4694,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 3b1f7abf163..f666947ea9f 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -3763,7 +3763,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index ac368025c0c..f2ac8aae68c 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -3621,7 +3621,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 60685cc2f46..0d5b8666cd0 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -4422,7 +4422,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index 802e67f9353..c5f1b6d8d4e 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -3252,7 +3252,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index a0cab960a6d..5175628b549 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -3195,7 +3195,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 2db9e382585..89b5ffa8587 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -4367,7 +4367,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 3133c1c6f75..a4bd15ee430 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -3845,7 +3845,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 4bbcad05ce0..b245ab94dc3 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -3431,7 +3431,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index 3f3c8326c1f..a3b6707edc8 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -3795,7 +3795,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml index 583c42258b5..456e43ef1d4 100644 --- a/.github/workflows/issue-classifier.lock.yml +++ b/.github/workflows/issue-classifier.lock.yml @@ -2869,7 +2869,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index ba5a08c6468..44e706bd121 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -3671,7 +3671,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index c35309811ab..8ec3fdcfcbd 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -4600,7 +4600,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index d2f712deb6b..2710eefa886 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -4104,7 +4104,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 730db7bffae..8d3bbc8d4c5 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -4398,7 +4398,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 84c7c38d329..40a0662cb71 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -4212,7 +4212,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index a50579c8808..764315dd6b5 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -5905,7 +5905,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index a877f753474..8746c30681e 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -5334,7 +5334,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index fcd8b5dfcc0..f9247f289e2 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -3618,7 +3618,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 5f2ace6706c..4db51f5818b 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -3931,7 +3931,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 8efe2185c97..aa4331cae05 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -3799,7 +3799,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 920aca3a2de..e6a9e626341 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -3601,7 +3601,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index aecb9535551..eef30e52eb9 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -4330,7 +4330,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index 6feb783d0ac..dd0556321c2 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -3754,7 +3754,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index 940b0cce2fd..bc676553892 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -3706,7 +3706,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 71bf6c1b602..e6b797be156 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -3276,7 +3276,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 4aaae4b3eda..c67b0d625b4 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -2934,7 +2934,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot.firewall.lock.yml b/.github/workflows/smoke-copilot.firewall.lock.yml index 8d9713a858a..98ec710361c 100644 --- a/.github/workflows/smoke-copilot.firewall.lock.yml +++ b/.github/workflows/smoke-copilot.firewall.lock.yml @@ -3984,7 +3984,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 570243822d8..8846f7fcea8 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -3984,7 +3984,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml index 779c49c0662..136e7e2311f 100644 --- a/.github/workflows/smoke-detector.lock.yml +++ b/.github/workflows/smoke-detector.lock.yml @@ -4304,7 +4304,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index e557f9595b0..d381aaeff23 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -2454,7 +2454,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-custom-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 5f9f139af94..238ae66c68b 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -4488,7 +4488,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 77e72b886ba..020f922d6f0 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -4415,7 +4415,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index eaf58a96002..78a32acb529 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -4710,7 +4710,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 6997594e079..3ed7f0d11ac 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -3852,7 +3852,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index d4178550cf3..be03a88aef2 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -3912,7 +3912,6 @@ jobs: detection: needs: agent runs-on: ubuntu-latest - permissions: read-all concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index 9f018e7c5e7..c0b660da4b6 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -96,7 +96,7 @@ func (c *Compiler) buildThreatDetectionJob(data *WorkflowData, mainJobName strin Name: constants.DetectionJobName, If: "", RunsOn: "runs-on: ubuntu-latest", - Permissions: NewPermissionsReadAll().RenderToYAML(), + Permissions: NewPermissions().RenderToYAML(), Concurrency: c.indentYAMLLines(agentConcurrency, " "), TimeoutMinutes: 10, Steps: steps, diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index 8ef46e41466..d5763c2ee15 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -223,8 +223,8 @@ func TestBuildThreatDetectionJob(t *testing.T) { if job.RunsOn != "runs-on: ubuntu-latest" { t.Errorf("Expected ubuntu-latest runner, got %q", job.RunsOn) } - if job.Permissions != "permissions: read-all" { - t.Errorf("Expected read-all permissions, got %q", job.Permissions) + if job.Permissions != "" { + t.Errorf("Expected empty permissions (metadata read only), got %q", job.Permissions) } if len(job.Needs) != 1 || job.Needs[0] != tt.mainJobName { t.Errorf("Expected job to depend on %q, got %v", tt.mainJobName, job.Needs) From c50768580bb67b10d3b0e1199bc89c265e26d4ea Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 28 Oct 2025 00:53:55 +0000 Subject: [PATCH 3/3] Set detection job permissions to explicit empty object (permissions: {}) Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/artifacts-summary.lock.yml | 1 + .github/workflows/audit-workflows.lock.yml | 1 + .github/workflows/blog-auditor.lock.yml | 1 + .github/workflows/brave.lock.yml | 1 + .../changeset-generator.firewall.lock.yml | 1 + .github/workflows/ci-doctor.lock.yml | 1 + .../workflows/cli-version-checker.lock.yml | 1 + .../commit-changes-analyzer.lock.yml | 1 + .../workflows/copilot-agent-analysis.lock.yml | 1 + .github/workflows/daily-doc-updater.lock.yml | 1 + .../workflows/daily-firewall-report.lock.yml | 1 + .github/workflows/daily-news.lock.yml | 1 + .../workflows/daily-perf-improver.lock.yml | 1 + .../workflows/daily-repo-chronicle.lock.yml | 1 + .../workflows/daily-test-improver.lock.yml | 1 + .github/workflows/dev-hawk.lock.yml | 1 + .github/workflows/dev.lock.yml | 1 + .github/workflows/dictation-prompt.lock.yml | 1 + .../duplicate-code-detector.lock.yml | 1 + .../example-workflow-analyzer.lock.yml | 1 + .../github-mcp-tools-report.lock.yml | 1 + .github/workflows/go-logger.lock.yml | 1 + .../workflows/go-pattern-detector.lock.yml | 1 + .../workflows/instructions-janitor.lock.yml | 1 + .github/workflows/issue-classifier.lock.yml | 1 + .github/workflows/lockfile-stats.lock.yml | 1 + .github/workflows/mcp-inspector.lock.yml | 1 + .github/workflows/mergefest.lock.yml | 1 + .github/workflows/pdf-summary.lock.yml | 1 + .github/workflows/plan.lock.yml | 1 + .github/workflows/poem-bot.lock.yml | 1 + .github/workflows/q.lock.yml | 1 + .github/workflows/repo-tree-map.lock.yml | 1 + .github/workflows/research.lock.yml | 1 + .github/workflows/safe-output-health.lock.yml | 1 + .../schema-consistency-checker.lock.yml | 1 + .github/workflows/scout.lock.yml | 1 + .github/workflows/security-fix-pr.lock.yml | 1 + .../semantic-function-refactor.lock.yml | 1 + .github/workflows/smoke-claude.lock.yml | 1 + .github/workflows/smoke-codex.lock.yml | 1 + .../workflows/smoke-copilot.firewall.lock.yml | 1 + .github/workflows/smoke-copilot.lock.yml | 1 + .github/workflows/smoke-detector.lock.yml | 1 + .github/workflows/smoke-opencode.lock.yml | 1 + .../workflows/technical-doc-writer.lock.yml | 1 + .github/workflows/tidy.lock.yml | 1 + .github/workflows/unbloat-docs.lock.yml | 1 + .github/workflows/video-analyzer.lock.yml | 1 + .../workflows/weekly-issue-summary.lock.yml | 1 + pkg/workflow/permissions.go | 21 +++++++++++++++---- pkg/workflow/threat_detection.go | 2 +- pkg/workflow/threat_detection_test.go | 4 ++-- 53 files changed, 70 insertions(+), 7 deletions(-) diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index 5209c0dbbc4..9dd72c52146 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -4040,6 +4040,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index b7d4ffccb65..dadea57e7fd 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -3695,6 +3695,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 4670481804d..4c5b1338402 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -3604,6 +3604,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 6bc229ad322..e20ff07b0a4 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -4299,6 +4299,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/changeset-generator.firewall.lock.yml b/.github/workflows/changeset-generator.firewall.lock.yml index 7174d181f0c..55c0905480c 100644 --- a/.github/workflows/changeset-generator.firewall.lock.yml +++ b/.github/workflows/changeset-generator.firewall.lock.yml @@ -4465,6 +4465,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index f99fd780e9f..f0f641db4a1 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -4175,6 +4175,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 20b0cd041bd..ebf7f96e2c6 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -3894,6 +3894,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 4654dd7fcb2..1cdc89a4237 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -3461,6 +3461,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index ccce2898777..9518195142a 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -3791,6 +3791,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 98af491eaf5..0eec4a1b28c 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -3811,6 +3811,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index ef350452428..161cd295d2b 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -3621,6 +3621,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 576358ed016..f270822382c 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -4167,6 +4167,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-perf-improver.lock.yml b/.github/workflows/daily-perf-improver.lock.yml index fb6371e17de..d200af7bc35 100644 --- a/.github/workflows/daily-perf-improver.lock.yml +++ b/.github/workflows/daily-perf-improver.lock.yml @@ -4720,6 +4720,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index c94eec87782..a175b8d238e 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -3964,6 +3964,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/daily-test-improver.lock.yml b/.github/workflows/daily-test-improver.lock.yml index 7d6394057a4..1c40de9e86a 100644 --- a/.github/workflows/daily-test-improver.lock.yml +++ b/.github/workflows/daily-test-improver.lock.yml @@ -4694,6 +4694,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index f666947ea9f..89bbc3957ed 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -3763,6 +3763,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index f2ac8aae68c..d1fcd8b0d83 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -3621,6 +3621,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index 0d5b8666cd0..a67f7e2c72b 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -4422,6 +4422,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index c5f1b6d8d4e..75d060c55e4 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -3252,6 +3252,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 5175628b549..94959554135 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -3195,6 +3195,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index 89b5ffa8587..c99cd70d97c 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -4367,6 +4367,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index a4bd15ee430..6504cf0cdf9 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -3845,6 +3845,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index b245ab94dc3..4a9be890c63 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -3431,6 +3431,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index a3b6707edc8..35edb423703 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -3795,6 +3795,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml index 456e43ef1d4..0690ff0a261 100644 --- a/.github/workflows/issue-classifier.lock.yml +++ b/.github/workflows/issue-classifier.lock.yml @@ -2869,6 +2869,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index 44e706bd121..8e29090df72 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -3671,6 +3671,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 8ec3fdcfcbd..242455a56a4 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -4600,6 +4600,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 2710eefa886..2b6009dde60 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -4104,6 +4104,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index 8d3bbc8d4c5..9d50577f96a 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -4398,6 +4398,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 40a0662cb71..f553407ed8e 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -4212,6 +4212,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 764315dd6b5..40dbae39c68 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -5905,6 +5905,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 8746c30681e..6fb3b4edbd0 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -5334,6 +5334,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index f9247f289e2..421422b6753 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -3618,6 +3618,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index 4db51f5818b..e5c9c75077f 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -3931,6 +3931,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index aa4331cae05..a1c02b12be6 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -3799,6 +3799,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index e6a9e626341..92793fee6fa 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -3601,6 +3601,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index eef30e52eb9..57086a5f541 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -4330,6 +4330,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/security-fix-pr.lock.yml b/.github/workflows/security-fix-pr.lock.yml index dd0556321c2..4e1bb49b40d 100644 --- a/.github/workflows/security-fix-pr.lock.yml +++ b/.github/workflows/security-fix-pr.lock.yml @@ -3754,6 +3754,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index bc676553892..897ce3c5aae 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -3706,6 +3706,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index e6b797be156..2992bd0d34b 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -3276,6 +3276,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index c67b0d625b4..6273654369a 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -2934,6 +2934,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot.firewall.lock.yml b/.github/workflows/smoke-copilot.firewall.lock.yml index 98ec710361c..2d59a5bb51c 100644 --- a/.github/workflows/smoke-copilot.firewall.lock.yml +++ b/.github/workflows/smoke-copilot.firewall.lock.yml @@ -3984,6 +3984,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 8846f7fcea8..37bc971a934 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -3984,6 +3984,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-detector.lock.yml b/.github/workflows/smoke-detector.lock.yml index 136e7e2311f..0fec03e5bb1 100644 --- a/.github/workflows/smoke-detector.lock.yml +++ b/.github/workflows/smoke-detector.lock.yml @@ -4304,6 +4304,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index d381aaeff23..140707dc994 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -2454,6 +2454,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-custom-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 238ae66c68b..c042263bd5f 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -4488,6 +4488,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 020f922d6f0..7ca3938bccb 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -4415,6 +4415,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 78a32acb529..dc2435e7018 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -4710,6 +4710,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} timeout-minutes: 10 steps: - name: Download prompt artifact diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 3ed7f0d11ac..967fa584237 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -3852,6 +3852,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index be03a88aef2..ae73ad26e2a 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -3912,6 +3912,7 @@ jobs: detection: needs: agent runs-on: ubuntu-latest + permissions: {} concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/pkg/workflow/permissions.go b/pkg/workflow/permissions.go index 4b2cc30b227..6bf684821ec 100644 --- a/pkg/workflow/permissions.go +++ b/pkg/workflow/permissions.go @@ -457,10 +457,11 @@ func GetAllPermissionScopes() []PermissionScope { // It can be a shorthand (read-all, write-all, read, write, none) or a map of scopes to levels // It can also have an "all" permission that expands to all scopes type Permissions struct { - shorthand string - permissions map[PermissionScope]PermissionLevel - hasAll bool - allLevel PermissionLevel + shorthand string + permissions map[PermissionScope]PermissionLevel + hasAll bool + allLevel PermissionLevel + explicitEmpty bool // When true, renders "permissions: {}" even if no permissions are set } // NewPermissions creates a new Permissions with an empty map @@ -505,6 +506,14 @@ func NewPermissionsNone() *Permissions { } } +// NewPermissionsEmpty creates a Permissions that explicitly renders as "permissions: {}" +func NewPermissionsEmpty() *Permissions { + return &Permissions{ + permissions: make(map[PermissionScope]PermissionLevel), + explicitEmpty: true, + } +} + // NewPermissionsFromMap creates a Permissions from a map of scopes to levels func NewPermissionsFromMap(perms map[PermissionScope]PermissionLevel) *Permissions { p := NewPermissions() @@ -753,6 +762,10 @@ func (p *Permissions) RenderToYAML() string { } if len(allPerms) == 0 { + // If explicitEmpty is true, render "permissions: {}" + if p.explicitEmpty { + return "permissions: {}" + } return "" } diff --git a/pkg/workflow/threat_detection.go b/pkg/workflow/threat_detection.go index c0b660da4b6..dae61439e8e 100644 --- a/pkg/workflow/threat_detection.go +++ b/pkg/workflow/threat_detection.go @@ -96,7 +96,7 @@ func (c *Compiler) buildThreatDetectionJob(data *WorkflowData, mainJobName strin Name: constants.DetectionJobName, If: "", RunsOn: "runs-on: ubuntu-latest", - Permissions: NewPermissions().RenderToYAML(), + Permissions: NewPermissionsEmpty().RenderToYAML(), Concurrency: c.indentYAMLLines(agentConcurrency, " "), TimeoutMinutes: 10, Steps: steps, diff --git a/pkg/workflow/threat_detection_test.go b/pkg/workflow/threat_detection_test.go index d5763c2ee15..e5c141160d7 100644 --- a/pkg/workflow/threat_detection_test.go +++ b/pkg/workflow/threat_detection_test.go @@ -223,8 +223,8 @@ func TestBuildThreatDetectionJob(t *testing.T) { if job.RunsOn != "runs-on: ubuntu-latest" { t.Errorf("Expected ubuntu-latest runner, got %q", job.RunsOn) } - if job.Permissions != "" { - t.Errorf("Expected empty permissions (metadata read only), got %q", job.Permissions) + if job.Permissions != "permissions: {}" { + t.Errorf("Expected 'permissions: {}', got %q", job.Permissions) } if len(job.Needs) != 1 || job.Needs[0] != tt.mainJobName { t.Errorf("Expected job to depend on %q, got %v", tt.mainJobName, job.Needs)