Migrate runtime threat scan to CopilotRequestWrite#153
Merged
Conversation
Copilot
AI
changed the title
chore: migrate runtime threat scan to CopilotRequestWrite
Migrate runtime threat scan to CopilotRequestWrite
Jun 12, 2026
Copilot created this pull request from a session on behalf of
pelikhan
June 12, 2026 00:09
View session
pelikhan
approved these changes
Jun 12, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request migrates the remaining runtime threat-scan agentic workflow to the current Copilot authentication model by requesting Copilot access via workflow/job permissions, and refreshes generated workflows to match the latest gh-aw compiler output.
Changes:
- Updated the workflow source to request Copilot via
permissions.copilot-requests: write(removing the deprecatedfeatures.copilot-requestsflag). - Recompiled the generated lock workflow with
gh-aw v0.79.6, picking up updated pins/metadata and updated job/concurrency structure. - Added the generated
agentics-maintenance.ymlworkflow (emitted bygh-awwhen safe-outputs useexpires).
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/daily-runtime-threat-scan.md | Switches Copilot access from deprecated feature flag to workflow permissions (copilot-requests: write). |
| .github/workflows/daily-runtime-threat-scan.lock.yml | Regenerated compiled workflow with gh-aw v0.79.6, including updated pins/metadata and the new Copilot permission-based auth path. |
| .github/workflows/agentics-maintenance.yml | Adds the generated maintenance workflow to manage expiration-based maintenance tasks emitted by gh-aw. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 0
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
zizmor found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This updates the remaining agentic workflow to the current Copilot auth model and refreshes its generated lock file with the latest
gh-awrelease output. The workflow now requests Copilot access via workflow permissions instead of the deprecated feature flag / secret path.Workflow source
features.copilot-requests: truewithpermissions.copilot-requests: writeindaily-runtime-threat-scan.md.Generated workflow
daily-runtime-threat-scan.lock.ymlwithgh-aw v0.79.6.Copilot auth path
COPILOT_GITHUB_TOKENsecret verification and secret redaction entries tied to the old flow.