diff --git a/.github/workflows/approach-validator.lock.yml b/.github/workflows/approach-validator.lock.yml index a17c7e8a430..1742dc4c1f3 100644 --- a/.github/workflows/approach-validator.lock.yml +++ b/.github/workflows/approach-validator.lock.yml @@ -1218,7 +1218,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1752,7 +1751,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 6825bc1241f..9fec19f26dd 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -1127,7 +1127,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1652,7 +1651,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index 674d74c95bb..cd5bf723197 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -1097,7 +1097,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1622,7 +1621,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 35c3c12ae19..7e1abe0d956 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1320,7 +1320,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1850,7 +1849,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index 145432c0f4f..3edc77a0db1 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -1455,7 +1455,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1993,7 +1992,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/contribution-check.lock.yml b/.github/workflows/contribution-check.lock.yml index 668d7929f2b..5f0140f0ece 100644 --- a/.github/workflows/contribution-check.lock.yml +++ b/.github/workflows/contribution-check.lock.yml @@ -1153,7 +1153,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1601,7 +1600,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index 761a1a0c1b8..89f00b9ad58 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -1098,7 +1098,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1625,7 +1624,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index e2982fdd417..e7ba5af13ef 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -1027,7 +1027,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1476,7 +1475,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index a953fc5f411..14927a4d151 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -1287,7 +1287,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1888,7 +1887,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/dependabot-repair.lock.yml b/.github/workflows/dependabot-repair.lock.yml index 5391a746fdf..3230ef7c65e 100644 --- a/.github/workflows/dependabot-repair.lock.yml +++ b/.github/workflows/dependabot-repair.lock.yml @@ -1127,7 +1127,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1629,7 +1628,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/design-decision-gate.lock.yml b/.github/workflows/design-decision-gate.lock.yml index de37eef5ab0..a576985a2fc 100644 --- a/.github/workflows/design-decision-gate.lock.yml +++ b/.github/workflows/design-decision-gate.lock.yml @@ -1226,7 +1226,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1760,7 +1759,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index 5c658f32e51..8334d2aa8ba 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -1148,7 +1148,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1642,7 +1641,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index f06ecde03c8..64398f71694 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -1113,7 +1113,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1669,7 +1668,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index d3f87ba3b40..d6db1ab68b4 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -1065,7 +1065,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1515,7 +1514,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index f392c348d78..e644d1a03f8 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -1438,7 +1438,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -2346,7 +2345,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 4559603c017..c86cd588e28 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -1013,7 +1013,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1460,7 +1459,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/mattpocock-skills-reviewer.lock.yml b/.github/workflows/mattpocock-skills-reviewer.lock.yml index 45511e0c499..975026194ab 100644 --- a/.github/workflows/mattpocock-skills-reviewer.lock.yml +++ b/.github/workflows/mattpocock-skills-reviewer.lock.yml @@ -1155,7 +1155,6 @@ jobs: permissions: checks: write contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1682,7 +1681,6 @@ jobs: permissions: checks: write contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/necromancer.lock.yml b/.github/workflows/necromancer.lock.yml index 91c7b4a4120..f528c907eda 100644 --- a/.github/workflows/necromancer.lock.yml +++ b/.github/workflows/necromancer.lock.yml @@ -1135,7 +1135,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1715,7 +1714,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/pr-sous-chef.lock.yml b/.github/workflows/pr-sous-chef.lock.yml index 0c7ccf5a8dd..12b969798a0 100644 --- a/.github/workflows/pr-sous-chef.lock.yml +++ b/.github/workflows/pr-sous-chef.lock.yml @@ -1157,7 +1157,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1665,7 +1664,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index 230bc48052a..5cfa36d55f4 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -1184,7 +1184,6 @@ jobs: permissions: checks: write contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1735,7 +1734,6 @@ jobs: permissions: checks: write contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 84baf90e46e..bdbafb51ac0 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -1262,7 +1262,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1789,7 +1788,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 1885df1c626..ccbcdf4e38b 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -1159,7 +1159,6 @@ jobs: permissions: checks: write contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1657,7 +1656,6 @@ jobs: permissions: checks: write contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/ruflo-backed-task.lock.yml b/.github/workflows/ruflo-backed-task.lock.yml index d508cd19404..cb523f8b92a 100644 --- a/.github/workflows/ruflo-backed-task.lock.yml +++ b/.github/workflows/ruflo-backed-task.lock.yml @@ -1229,7 +1229,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1760,7 +1759,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/scout.lock.yml b/.github/workflows/scout.lock.yml index 3bb74fa8fd8..c13500fb843 100644 --- a/.github/workflows/scout.lock.yml +++ b/.github/workflows/scout.lock.yml @@ -1327,7 +1327,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1857,7 +1856,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-agent-all-merged.lock.yml b/.github/workflows/smoke-agent-all-merged.lock.yml index 72335cc83a5..43e4be57653 100644 --- a/.github/workflows/smoke-agent-all-merged.lock.yml +++ b/.github/workflows/smoke-agent-all-merged.lock.yml @@ -1131,7 +1131,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1663,7 +1662,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-agent-all-none.lock.yml b/.github/workflows/smoke-agent-all-none.lock.yml index 2fcfb070c39..9b94f296ae4 100644 --- a/.github/workflows/smoke-agent-all-none.lock.yml +++ b/.github/workflows/smoke-agent-all-none.lock.yml @@ -1131,7 +1131,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1663,7 +1662,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-agent-public-approved.lock.yml b/.github/workflows/smoke-agent-public-approved.lock.yml index 072bb8bc92a..87f54937bc1 100644 --- a/.github/workflows/smoke-agent-public-approved.lock.yml +++ b/.github/workflows/smoke-agent-public-approved.lock.yml @@ -1162,7 +1162,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1697,7 +1696,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-agent-public-none.lock.yml b/.github/workflows/smoke-agent-public-none.lock.yml index d2e9866f32d..b3069817db3 100644 --- a/.github/workflows/smoke-agent-public-none.lock.yml +++ b/.github/workflows/smoke-agent-public-none.lock.yml @@ -1131,7 +1131,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1663,7 +1662,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-agent-scoped-approved.lock.yml b/.github/workflows/smoke-agent-scoped-approved.lock.yml index 6cc10de7ced..a019f7a5eac 100644 --- a/.github/workflows/smoke-agent-scoped-approved.lock.yml +++ b/.github/workflows/smoke-agent-scoped-approved.lock.yml @@ -1138,7 +1138,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1670,7 +1669,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-antigravity.lock.yml b/.github/workflows/smoke-antigravity.lock.yml index dbea2720c27..f9c63884df4 100644 --- a/.github/workflows/smoke-antigravity.lock.yml +++ b/.github/workflows/smoke-antigravity.lock.yml @@ -1200,7 +1200,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1795,7 +1794,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index 94d796de8fa..16ebecaa1e1 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -1106,7 +1106,6 @@ jobs: permissions: actions: read contents: read - discussions: write issues: write pull-requests: write uses: ./.github/workflows/smoke-workflow-call.lock.yml diff --git a/.github/workflows/smoke-ci.lock.yml b/.github/workflows/smoke-ci.lock.yml index 82cb35bbe2c..61d4271d8d4 100644 --- a/.github/workflows/smoke-ci.lock.yml +++ b/.github/workflows/smoke-ci.lock.yml @@ -1317,7 +1317,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1643,7 +1642,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 1570c092ab9..c36efbb960f 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1965,7 +1965,6 @@ jobs: permissions: checks: write contents: read - discussions: write issues: write pull-requests: write security-events: write @@ -2503,7 +2502,6 @@ jobs: permissions: checks: write contents: read - discussions: write issues: write pull-requests: write security-events: write diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index f5f75c6bb9b..0c5ffc0a141 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -1199,7 +1199,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1729,7 +1728,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-crush.lock.yml b/.github/workflows/smoke-crush.lock.yml index f7ac24fd7a5..337625ec1fb 100644 --- a/.github/workflows/smoke-crush.lock.yml +++ b/.github/workflows/smoke-crush.lock.yml @@ -1098,7 +1098,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1609,7 +1608,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 52ca6deb7a1..9c72a3e747b 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -1203,7 +1203,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1800,7 +1799,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 3f4252e002b..3a580594617 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -1142,7 +1142,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1671,7 +1670,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-opencode.lock.yml b/.github/workflows/smoke-opencode.lock.yml index e488355062a..dc8fc9c2c9a 100644 --- a/.github/workflows/smoke-opencode.lock.yml +++ b/.github/workflows/smoke-opencode.lock.yml @@ -1103,7 +1103,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1613,7 +1612,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-pi.lock.yml b/.github/workflows/smoke-pi.lock.yml index 40628bc392d..d5103c50d81 100644 --- a/.github/workflows/smoke-pi.lock.yml +++ b/.github/workflows/smoke-pi.lock.yml @@ -1120,7 +1120,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1622,7 +1621,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index 526844cd1a5..112c4e6bdd0 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -1326,7 +1326,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1939,7 +1938,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-service-ports.lock.yml b/.github/workflows/smoke-service-ports.lock.yml index 01bf79835f1..c0383abd97c 100644 --- a/.github/workflows/smoke-service-ports.lock.yml +++ b/.github/workflows/smoke-service-ports.lock.yml @@ -1068,7 +1068,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1592,7 +1591,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index 8d6e98504a9..a43e3c1cdbe 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -1169,7 +1169,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1780,7 +1779,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index 257adce0e22..bf4575e2712 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -1099,7 +1099,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1626,7 +1625,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index d8a7d95d36d..cf18a6a2d86 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -1229,7 +1229,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1760,7 +1759,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 5d1066e5b24..050919a2939 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -1113,7 +1113,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1608,7 +1607,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/stale-pr-cleanup.lock.yml b/.github/workflows/stale-pr-cleanup.lock.yml index b470de01396..dce63033d1c 100644 --- a/.github/workflows/stale-pr-cleanup.lock.yml +++ b/.github/workflows/stale-pr-cleanup.lock.yml @@ -1060,7 +1060,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1510,7 +1509,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index 0ab8ee340e0..8fb8953aef5 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -1271,7 +1271,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1725,7 +1724,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index 7edf41ad6f7..3d9fd10247d 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -1061,7 +1061,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1509,7 +1508,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index bdf45cf4ce8..e9ce4256a84 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -1178,7 +1178,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1731,7 +1730,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/test-quality-sentinel.lock.yml b/.github/workflows/test-quality-sentinel.lock.yml index e1fb7777d74..3c5aadc2e64 100644 --- a/.github/workflows/test-quality-sentinel.lock.yml +++ b/.github/workflows/test-quality-sentinel.lock.yml @@ -1130,7 +1130,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1656,7 +1655,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index 5b4c2ff4ba0..a20ece074cf 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -1282,7 +1282,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write concurrency: @@ -1827,7 +1826,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: write - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/visual-regression-checker.lock.yml b/.github/workflows/visual-regression-checker.lock.yml index 6ba94b79d21..a70abfe1256 100644 --- a/.github/workflows/visual-regression-checker.lock.yml +++ b/.github/workflows/visual-regression-checker.lock.yml @@ -1109,7 +1109,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1601,7 +1600,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index a825dd63193..ec29b3db177 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -1149,7 +1149,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write concurrency: @@ -1698,7 +1697,6 @@ jobs: runs-on: ubuntu-slim permissions: contents: read - discussions: write issues: write pull-requests: write timeout-minutes: 45 diff --git a/actions/setup/js/generate_safe_outputs_tools.cjs b/actions/setup/js/generate_safe_outputs_tools.cjs index 1651735da5d..fae7e0c0225 100644 --- a/actions/setup/js/generate_safe_outputs_tools.cjs +++ b/actions/setup/js/generate_safe_outputs_tools.cjs @@ -31,6 +31,45 @@ const fs = require("fs"); const path = require("path"); const { ERR_CONFIG } = require("./error_codes.cjs"); +const ADD_COMMENT_DEFAULT_DISCUSSIONS_NOTE = + "NOTE: By default, this tool does not require discussions:write permission. Set 'discussions: true' in the workflow's safe-outputs.add-comment configuration to enable discussion comments and request this permission."; +const ADD_COMMENT_DISCUSSIONS_ENABLED_NOTE = "NOTE: Discussion comments are enabled for this workflow because discussions:write permission is available."; +const ADD_COMMENT_DISCUSSIONS_DISABLED_NOTE = + "NOTE: Discussion comments are disabled for this workflow because discussions:write permission is not available. Set 'discussions: true' in the workflow's safe-outputs.add-comment configuration to enable discussion comments and request this permission."; +const ADD_COMMENT_REPLY_SUPPORT_SENTENCE = "Supports reply_to_id for discussion threading."; +const ADD_COMMENT_REPLY_SUPPORT_REGEX = /\s*Supports reply_to_id for discussion threading\./g; + +/** + * Update add_comment description to match runtime-safe-output permissions. + * @param {string} description + * @param {unknown} addCommentConfig + * @returns {string} + */ +function updateAddCommentDescription(description, addCommentConfig) { + const discussionCommentsEnabled = typeof addCommentConfig === "object" && addCommentConfig !== null && "discussions" in addCommentConfig && addCommentConfig.discussions === true; + + let updated = description || ""; + const note = discussionCommentsEnabled ? ADD_COMMENT_DISCUSSIONS_ENABLED_NOTE : ADD_COMMENT_DISCUSSIONS_DISABLED_NOTE; + if (updated.includes(ADD_COMMENT_DEFAULT_DISCUSSIONS_NOTE)) { + updated = updated.replace(ADD_COMMENT_DEFAULT_DISCUSSIONS_NOTE, note); + } else if (!updated.includes(ADD_COMMENT_DISCUSSIONS_ENABLED_NOTE) && !updated.includes(ADD_COMMENT_DISCUSSIONS_DISABLED_NOTE)) { + updated = `${updated} ${note}`.trim(); + } + + if (discussionCommentsEnabled) { + if (!updated.includes(ADD_COMMENT_REPLY_SUPPORT_SENTENCE)) { + updated = `${updated} ${ADD_COMMENT_REPLY_SUPPORT_SENTENCE}`.trim(); + } + } else { + updated = updated + .replace(ADD_COMMENT_REPLY_SUPPORT_REGEX, "") + .replace(/\s{2,}/g, " ") + .trim(); + } + + return updated; +} + async function main() { const toolsSourcePath = process.env.GH_AW_SAFE_OUTPUTS_TOOLS_SOURCE_PATH || `${process.env.RUNNER_TEMP}/gh-aw/actions/safe_outputs_tools.json`; const configPath = process.env.GH_AW_SAFE_OUTPUTS_CONFIG_PATH || `${process.env.RUNNER_TEMP}/gh-aw/safeoutputs/config.json`; @@ -92,6 +131,10 @@ async function main() { enhancedTool.description = (enhancedTool.description || "") + descSuffix; } + if (tool.name === "add_comment") { + enhancedTool.description = updateAddCommentDescription(enhancedTool.description, config.add_comment); + } + // Add repo parameter to inputSchema if configured const repoParam = toolsMeta.repo_params?.[tool.name]; if (repoParam) { diff --git a/actions/setup/js/generate_safe_outputs_tools.test.cjs b/actions/setup/js/generate_safe_outputs_tools.test.cjs index f87148f3e03..00bb22cf856 100644 --- a/actions/setup/js/generate_safe_outputs_tools.test.cjs +++ b/actions/setup/js/generate_safe_outputs_tools.test.cjs @@ -273,4 +273,37 @@ describe("generate_safe_outputs_tools", () => { // Description should be unchanged (no suffix applied) expect(result[0].description).toBe("Creates a GitHub issue."); }); + + it("dynamically marks add_comment discussion support as enabled when discussions:true", () => { + fs.writeFileSync(configPath, JSON.stringify({ add_comment: { discussions: true } })); + fs.writeFileSync(toolsMetaPath, JSON.stringify({ description_suffixes: {}, repo_params: {}, dynamic_tools: [] })); + + runScript(); + + const result = JSON.parse(fs.readFileSync(outputPath, "utf8")); + const addCommentTool = result.find((/** @type {{name: string, description: string}} */ t) => t.name === "add_comment"); + expect(addCommentTool).toBeDefined(); + expect(addCommentTool.description).toContain("Discussion comments are enabled for this workflow"); + expect(addCommentTool.description).toContain("Supports reply_to_id for discussion threading."); + }); + + it("dynamically marks add_comment discussion support as disabled by default", () => { + fs.writeFileSync(configPath, JSON.stringify({ add_comment: { max: 1 } })); + fs.writeFileSync( + toolsMetaPath, + JSON.stringify({ + description_suffixes: { add_comment: " Supports reply_to_id for discussion threading." }, + repo_params: {}, + dynamic_tools: [], + }) + ); + + runScript(); + + const result = JSON.parse(fs.readFileSync(outputPath, "utf8")); + const addCommentTool = result.find((/** @type {{name: string, description: string}} */ t) => t.name === "add_comment"); + expect(addCommentTool).toBeDefined(); + expect(addCommentTool.description).toContain("Discussion comments are disabled for this workflow"); + expect(addCommentTool.description).not.toContain("Supports reply_to_id for discussion threading."); + }); }); diff --git a/actions/setup/js/safe_outputs_tools.json b/actions/setup/js/safe_outputs_tools.json index 60d9d499eb1..945df3314b3 100644 --- a/actions/setup/js/safe_outputs_tools.json +++ b/actions/setup/js/safe_outputs_tools.json @@ -247,7 +247,7 @@ }, { "name": "add_comment", - "description": "WRITE-ONCE: do NOT call this tool with empty or placeholder arguments to probe or discover its schema \u2014 the required `body` field is listed in this schema; if you are not ready to post a real comment, call `noop` instead. Adds a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission.", + "description": "WRITE-ONCE: do NOT call this tool with empty or placeholder arguments to probe or discover its schema \u2014 the required `body` field is listed in this schema; if you are not ready to post a real comment, call `noop` instead. Adds a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool does not require discussions:write permission. Set 'discussions: true' in the workflow's safe-outputs.add-comment configuration to enable discussion comments and request this permission.", "inputSchema": { "type": "object", "required": ["body"], diff --git a/docs/src/content/docs/specs/safe-outputs-specification.md b/docs/src/content/docs/specs/safe-outputs-specification.md index 2b7a950963b..6724cd4dcf6 100644 --- a/docs/src/content/docs/specs/safe-outputs-specification.md +++ b/docs/src/content/docs/specs/safe-outputs-specification.md @@ -2089,7 +2089,7 @@ Schema-only updates without matching agent/runtime sync updates **MUST NOT** be ```json { "name": "add_comment", - "description": "Add a comment to an existing issue, pull request, or discussion. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission.", + "description": "Add a comment to an existing issue, pull request, or discussion. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool does not require discussions:write permission. Set 'discussions: true' in the workflow's safe-outputs.add-comment configuration to enable discussion comments and request this permission.", "inputSchema": { "type": "object", "required": ["body"], diff --git a/pkg/workflow/add_comment.go b/pkg/workflow/add_comment.go index 1e99956d10a..e1b47243334 100644 --- a/pkg/workflow/add_comment.go +++ b/pkg/workflow/add_comment.go @@ -23,7 +23,7 @@ type AddCommentsConfig struct { AllowedReasons []string `yaml:"allowed-reasons,omitempty"` // List of allowed reasons for hiding older comments (default: all reasons allowed) Issues *bool `yaml:"issues,omitempty"` // When false, excludes issues:write permission and issues from event condition. Default (nil or true) includes issues:write. PullRequests *bool `yaml:"pull-requests,omitempty"` // When false, excludes pull-requests:write permission and PRs from event condition. Default (nil or true) includes pull-requests:write. - Discussions *bool `yaml:"discussions,omitempty"` // When false, excludes discussions:write permission. Default (nil or true) includes discussions:write. + Discussions *bool `yaml:"discussions,omitempty"` // When true, includes discussions:write permission. Default (nil or false) excludes discussions:write. Footer *string `yaml:"footer,omitempty"` // Controls whether AI-generated footer is added. When false, visible footer is omitted but XML markers are kept. } @@ -122,7 +122,7 @@ func preprocessHideOlderCommentsConfig(configData map[string]any, debugLog *logg // buildAddCommentPermissions computes the permissions for the add_comment job based on config. // Issues: nil or true → issues:write (default: true) // PullRequests: nil or true → pull-requests:write (default: true) -// Discussions: nil or true → discussions:write (default: true) +// Discussions: true → discussions:write (default: false) func buildAddCommentPermissions(config *AddCommentsConfig) *Permissions { permMap := map[PermissionScope]PermissionLevel{ PermissionContents: PermissionRead, @@ -133,7 +133,7 @@ func buildAddCommentPermissions(config *AddCommentsConfig) *Permissions { if config == nil || config.PullRequests == nil || *config.PullRequests { permMap[PermissionPullRequests] = PermissionWrite } - if config == nil || config.Discussions == nil || *config.Discussions { + if config != nil && config.Discussions != nil && *config.Discussions { permMap[PermissionDiscussions] = PermissionWrite } return NewPermissionsFromMap(permMap) diff --git a/pkg/workflow/add_comment_discussions_integration_test.go b/pkg/workflow/add_comment_discussions_integration_test.go index 526facde232..7f17b814b8a 100644 --- a/pkg/workflow/add_comment_discussions_integration_test.go +++ b/pkg/workflow/add_comment_discussions_integration_test.go @@ -20,7 +20,7 @@ func TestAddCommentDiscussionsFieldIntegration(t *testing.T) { shouldCompile bool }{ { - name: "discussions defaults to true - includes discussions:write", + name: "discussions defaults to false - excludes discussions:write", frontmatter: map[string]any{ "name": "Test Workflow", "engine": "copilot", @@ -28,7 +28,7 @@ func TestAddCommentDiscussionsFieldIntegration(t *testing.T) { "add-comment": map[string]any{}, }, }, - expectDiscussionsWrite: true, + expectDiscussionsWrite: false, shouldCompile: true, }, { diff --git a/pkg/workflow/compile_outputs_comment_test.go b/pkg/workflow/compile_outputs_comment_test.go index a9df3a80373..7644b1863b4 100644 --- a/pkg/workflow/compile_outputs_comment_test.go +++ b/pkg/workflow/compile_outputs_comment_test.go @@ -272,8 +272,8 @@ This workflow tests the safe_outputs job generation. t.Error("Expected 45-minute timeout in safe_outputs job") } - if !strings.Contains(lockContent, "permissions:\n contents: read\n discussions: write\n issues: write\n pull-requests: write") { - t.Error("Expected correct permissions in safe_outputs job (discussions: write is always included for add-comment)") + if !strings.Contains(lockContent, "permissions:\n contents: read\n issues: write\n pull-requests: write") { + t.Error("Expected correct permissions in safe_outputs job (add-comment defaults to no discussions permission)") } // Verify the job uses github-script diff --git a/pkg/workflow/compiler_safe_outputs_config_test.go b/pkg/workflow/compiler_safe_outputs_config_test.go index e04191b7dc0..167c8ae71fb 100644 --- a/pkg/workflow/compiler_safe_outputs_config_test.go +++ b/pkg/workflow/compiler_safe_outputs_config_test.go @@ -1142,6 +1142,17 @@ func TestHandlerConfigBooleanFields(t *testing.T) { checkKey: "hide_older_comments", expected: true, }, + { + name: "add comment discussions opt-in", + safeOutputs: &SafeOutputsConfig{ + AddComments: &AddCommentsConfig{ + Discussions: boolPtr(true), + }, + }, + checkField: "add_comment", + checkKey: "discussions", + expected: true, + }, { name: "close older discussions", safeOutputs: &SafeOutputsConfig{ diff --git a/pkg/workflow/compiler_safe_outputs_job_test.go b/pkg/workflow/compiler_safe_outputs_job_test.go index fbc1c6d72be..4ca8953063b 100644 --- a/pkg/workflow/compiler_safe_outputs_job_test.go +++ b/pkg/workflow/compiler_safe_outputs_job_test.go @@ -57,7 +57,7 @@ func TestBuildConsolidatedSafeOutputsJob(t *testing.T) { }, expectedJobName: "safe_outputs", checkPermissions: true, - expectedPerms: []string{"contents: read", "issues: write", "discussions: write"}, + expectedPerms: []string{"contents: read", "issues: write", "pull-requests: write"}, }, { name: "set issue field only", @@ -97,7 +97,7 @@ func TestBuildConsolidatedSafeOutputsJob(t *testing.T) { }, expectedJobName: "safe_outputs", checkPermissions: true, - expectedPerms: []string{"contents: read", "issues: write", "discussions: write"}, + expectedPerms: []string{"contents: read", "issues: write", "pull-requests: write"}, }, { name: "with threat detection enabled", diff --git a/pkg/workflow/js/safe_outputs_tools.json b/pkg/workflow/js/safe_outputs_tools.json index ec317e84389..10cea9eb8f9 100644 --- a/pkg/workflow/js/safe_outputs_tools.json +++ b/pkg/workflow/js/safe_outputs_tools.json @@ -303,7 +303,7 @@ }, { "name": "add_comment", - "description": "WRITE-ONCE: do NOT call this tool with empty or placeholder arguments to probe or discover its schema \u2014 the required `body` field is listed in this schema; if you are not ready to post a real comment, call `noop` instead. Adds a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool requires discussions:write permission. If your GitHub App lacks Discussions permission, set 'discussions: false' in the workflow's safe-outputs.add-comment configuration to exclude this permission.", + "description": "WRITE-ONCE: do NOT call this tool with empty or placeholder arguments to probe or discover its schema \u2014 the required `body` field is listed in this schema; if you are not ready to post a real comment, call `noop` instead. Adds a comment to an existing GitHub issue, pull request, or discussion. Use this to provide feedback, answer questions, or add information to an existing conversation. For creating new items, use create_issue, create_discussion, or create_pull_request instead. IMPORTANT: Comments are subject to validation constraints enforced by the MCP server - maximum 65536 characters for the complete comment (including footer which is added automatically), 10 mentions (@username), and 50 links. Exceeding these limits will result in an immediate error with specific guidance. NOTE: By default, this tool does not require discussions:write permission. Set 'discussions: true' in the workflow's safe-outputs.add-comment configuration to enable discussion comments and request this permission.", "inputSchema": { "type": "object", "required": [ diff --git a/pkg/workflow/notify_comment_test.go b/pkg/workflow/notify_comment_test.go index 97fbdf5cd70..49baa287984 100644 --- a/pkg/workflow/notify_comment_test.go +++ b/pkg/workflow/notify_comment_test.go @@ -213,16 +213,16 @@ func TestConclusionJob(t *testing.T) { } // Check permissions based on what safe-outputs are configured - // When add-comment is configured, it requires issues and discussions permissions + // When add-comment is configured by default, it requires issues permission // (PR comments are issue comments, so only issues: write is needed, not pull-requests: write) // When only missing_tool/noop is configured, minimal permissions are needed if tt.addCommentConfig { - // add-comment requires issues and discussions write permissions + // add-comment requires issues write permission by default if !strings.Contains(job.Permissions, "issues: write") { t.Error("Expected 'issues: write' permission when add-comment is configured") } - if !strings.Contains(job.Permissions, "discussions: write") { - t.Error("Expected 'discussions: write' permission when add-comment is configured") + if strings.Contains(job.Permissions, "discussions: write") { + t.Error("Did not expect 'discussions: write' permission when add-comment is configured by default") } } // No need to check for specific permissions when only noop/missing_tool is configured diff --git a/pkg/workflow/safe_outputs_handler_registry.go b/pkg/workflow/safe_outputs_handler_registry.go index 2b5e28d894f..a885c27e2e6 100644 --- a/pkg/workflow/safe_outputs_handler_registry.go +++ b/pkg/workflow/safe_outputs_handler_registry.go @@ -41,6 +41,7 @@ var handlerRegistry = map[string]handlerBuilder{ AddIfNotEmpty("target", c.Target). AddTemplatableBool("hide_older_comments", c.HideOlderComments). AddStringSlice("hide_older_comments_match", c.HideOlderCommentsMatch). + AddBoolPtr("discussions", c.Discussions). AddIfNotEmpty("target-repo", c.TargetRepoSlug). AddTemplatableStringSlice("allowed_repos", c.AllowedRepos). AddIfNotEmpty("github-token", c.GitHubToken). diff --git a/pkg/workflow/safe_outputs_permissions_test.go b/pkg/workflow/safe_outputs_permissions_test.go index a14e2c18741..3bec6094c31 100644 --- a/pkg/workflow/safe_outputs_permissions_test.go +++ b/pkg/workflow/safe_outputs_permissions_test.go @@ -72,7 +72,7 @@ func TestComputePermissionsForSafeOutputs(t *testing.T) { }, }, { - name: "add-comment default - includes pull-requests and discussions", + name: "add-comment default - includes pull-requests, excludes discussions", safeOutputs: &SafeOutputsConfig{ AddComments: &AddCommentsConfig{ BaseSafeOutputConfig: BaseSafeOutputConfig{Max: strPtr("1")}, @@ -82,7 +82,6 @@ func TestComputePermissionsForSafeOutputs(t *testing.T) { PermissionContents: PermissionRead, PermissionIssues: PermissionWrite, PermissionPullRequests: PermissionWrite, - PermissionDiscussions: PermissionWrite, }, }, { @@ -115,7 +114,7 @@ func TestComputePermissionsForSafeOutputs(t *testing.T) { }, }, { - name: "add-comment with pull-requests:false - no pull-requests permission", + name: "add-comment with pull-requests:false - no pull-requests permission and no discussions by default", safeOutputs: &SafeOutputsConfig{ AddComments: &AddCommentsConfig{ BaseSafeOutputConfig: BaseSafeOutputConfig{Max: strPtr("1")}, @@ -123,13 +122,12 @@ func TestComputePermissionsForSafeOutputs(t *testing.T) { }, }, expected: map[PermissionScope]PermissionLevel{ - PermissionContents: PermissionRead, - PermissionIssues: PermissionWrite, - PermissionDiscussions: PermissionWrite, + PermissionContents: PermissionRead, + PermissionIssues: PermissionWrite, }, }, { - name: "add-comment with issues:false - no issues permission", + name: "add-comment with issues:false - no issues permission and no discussions by default", safeOutputs: &SafeOutputsConfig{ AddComments: &AddCommentsConfig{ BaseSafeOutputConfig: BaseSafeOutputConfig{Max: strPtr("1")}, @@ -139,7 +137,6 @@ func TestComputePermissionsForSafeOutputs(t *testing.T) { expected: map[PermissionScope]PermissionLevel{ PermissionContents: PermissionRead, PermissionPullRequests: PermissionWrite, - PermissionDiscussions: PermissionWrite, }, }, {