fix: derive call-workflow job permissions from caller, not worker (#40169)

[dsyme]

Fixes #40169

Problem

test-copilot-call-workflow had a startup_failure on every run. The immediate trigger was vulnerability-alerts: read appearing in the generated call-<worker> job's permissions: block

The root cause was a design issue in buildCallWorkflowJobs: it reverse-engineered the call-<worker> job's permissions: block from the union of the worker's job-level permissions. When a worker job declared read-all, Merge() expanded it across GetAllPermissionScopes() — materializing vulnerability-alerts: read into the caller's lockfile.

Fix

The compiler no longer inflates the caller's permissions to match the worker. Callers control their own permission surface; the compiler validates (rather than rewrites) it.

• The call-<worker> job's permissions: block is now derived from the caller's own declared permissions (data.CachedPermissions / data.Permissions).
• extractCallWorkflowPermissions becomes a validation-only step. New helper findUncoveredWorkerPermissions compares the caller's declared permissions against the worker's requirements and emits a compiler warning when the caller is insufficient — without ever modifying the compiled permissions.

Changes

• pkg/workflow/compiler_safe_output_jobs.go — use the caller's permissions for the call job; validate worker coverage and warn on gaps.
• pkg/workflow/call_workflow_permissions.go — add permissionLevelRank and findUncoveredWorkerPermissions; document the validation-only role of the extraction helpers.
• pkg/cli/workflows/test-copilot-call-workflow.md — widen the caller's declared permissions (issues: read, pull-requests: read) so it covers its worker test-copilot-noop under the new model.
• Regenerated affected lock files (smoke-call-workflow.lock.yml, dependabot-campaign.lock.yml): the call jobs now carry the caller's permissions instead of the worker's.

Verification

• New unit test TestFindUncoveredWorkerPermissions covers coverage, gaps, lower-level grants, nil caller/worker, and none-level scopes.
• Updated the existing call-workflow permission tests to assert the new design (caller's permissions used; worker's not propagated).
• Compiling the previously-failing workflow now yields 0 errors, 0 warnings, and 0 vulnerability-alerts occurrences, with the call job carrying the caller's declared permissions.

---

Generated by 👨‍🍳 PR Sous Chef · 58.3 AIC · ⌖ 0.958 AIC · ⊞ 17.2K · ◷

[github-actions]

Comment Memory

CI lights the path
Green checks bloom at dawn
Quiet bots still sing

Note

This comment is managed by comment memory.

It stores persistent context for this thread in the code block at the top of this comment.
Edit only the text inside the backtick fences; workflow metadata and the footer are regenerated automatically.

Learn more about comment memory

Generated by 🧪 Smoke CI for issue #40175 · ◷

[Copilot]

⚠️ Not ready to approve

The new worker-coverage validator misses the valid copilot-requests permission scope, which can prevent warnings for real permission gaps and lead to runtime failures.

Pull request overview

This PR fixes a safe-outputs call-workflow compilation design flaw by ensuring the generated call-<worker> job permissions are derived from the caller workflow’s declared permissions, rather than being inflated from the worker’s job permissions. It also adds validation that compares caller vs worker requirements and emits warnings when the caller’s permissions may be insufficient—without mutating the compiled permissions.

Changes:

• Derive call-<worker> job permissions: from the caller’s declared permissions, and validate worker coverage via warnings rather than propagating worker permissions.
• Add permission-level comparison helpers and a new unit test for uncovered worker permissions.
• Update the test workflow’s declared permissions and regenerate affected lock files to reflect the caller-derived model.

File summaries

File	Description
pkg/workflow/compiler_safe_output_jobs.go	Switches call-workflow job permissions to be derived from caller permissions and adds warning-only validation against worker permissions.
pkg/workflow/call_workflow_permissions.go	Adds permission ranking and uncovered-scope detection helper for validation-only comparison.
pkg/workflow/call_workflow_permissions_test.go	Updates existing tests to assert caller-derived permissions and adds coverage for uncovered-scope detection.
pkg/cli/workflows/test-copilot-call-workflow.md	Expands declared permissions so the caller covers its worker under the new model.
.github/workflows/smoke-call-workflow.lock.yml	Regenerated to reflect caller-derived call-job permissions.
.github/workflows/dependabot-campaign.lock.yml	Regenerated to reflect caller-derived call-job permissions.

Copilot's findings

• Files reviewed: 6/6 changed files
• Comments generated: 1

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Generated by 👨‍🍳 PR Sous Chef · 42 AIC · ⌖ 1.36 AIC · ⊞ 17.2K · ◷

[github-actions]

``
@copilot review all comments and address unresolved review feedback.
Please fix the failing CGO test and then reply with the remaining blocker summary.

Generated by 👨‍🍳 PR Sous Chef · 42 AIC · ⌖ 1.36 AIC · ⊞ 17.2K · ◷

[github-actions]

@copilot review all comments and address unresolved review feedback.
Fix the uncovered copilot-requests permission warning, then rerun checks.

Generated by 👨‍🍳 PR Sous Chef · 58.3 AIC · ⌖ 0.958 AIC · ⊞ 17.2K · ◷

[github-actions]

@copilot review all comments and address unresolved review feedback.

Please land the remaining fix and summarize any blockers.

Generated by 👨‍🍳 PR Sous Chef · 57 AIC · ⌖ 1.09 AIC · ⊞ 17.2K · ◷

[github-actions]

Please fix the copilot-requests warning and rerun checks.

Generated by 👨‍🍳 PR Sous Chef · 57 AIC · ⌖ 1.09 AIC · ⊞ 17.2K · ◷

[github-actions]

Please fix the copilot-requests warning and rerun checks.

Generated by 👨‍🍳 PR Sous Chef · 18.8 AIC · ⌖ 1.01 AIC · ⊞ 17.2K · ◷

[github-actions]

``
Please refresh the branch, rerun checks, and post the remaining blocker summary.

Generated by 👨‍🍳 PR Sous Chef · 53 AIC · ⌖ 1.09 AIC · ⊞ 17.3K · ◷

[github-actions]

``
@copilot review all comments and address unresolved review feedback.
Please resolve the blocking review items and summarize the fix plan.

Generated by 👨‍🍳 PR Sous Chef · 53 AIC · ⌖ 1.09 AIC · ⊞ 17.3K · ◷

[dsyme]

@copilot fix the CI errors

[github-actions]

@copilot review all comments and address unresolved review feedback.

Generated by 👨‍🍳 PR Sous Chef · 93.3 AIC · ⌖ 1.86 AIC · ⊞ 17.2K · ◷

[github-actions]

@copilot summarize the remaining CI failures and propose the smallest fix.

Generated by 👨‍🍳 PR Sous Chef · 93.3 AIC · ⌖ 1.86 AIC · ⊞ 17.2K · ◷

[Copilot]

@copilot fix the CI errors

Fixed in 3a7cebc. The CI failure was a build error in findUncoveredWorkerPermissions — the workerLevel, workerWants := worker.Get(scope) assignment was accidentally dropped when adding the PermissionCopilotRequests scope to the iteration. The loop now correctly calls worker.Get(scope) for every scope including copilot-requests.

[github-actions]

@copilot review all comments and address unresolved review feedback.

Generated by 👨‍🍳 PR Sous Chef · 41.5 AIC · ⌖ 1.12 AIC · ⊞ 17.2K · ◷

[github-actions]

Please re-review now that the CI fix is pushed and summarize any remaining blockers.

Generated by 👨‍🍳 PR Sous Chef · 41.5 AIC · ⌖ 1.12 AIC · ⊞ 17.2K · ◷

[github-actions]

@copilot review all comments and address unresolved review feedback.
Please summarize any remaining blockers and next steps.

Generated by 👨‍🍳 PR Sous Chef · 49.1 AIC · ⌖ 1.09 AIC · ⊞ 17.2K · ◷

[github-actions]

@copilot please request a fresh review so maintainers can re-evaluate the branch.

Generated by 👨‍🍳 PR Sous Chef · 38.5 AIC · ⌖ 1.02 AIC · ⊞ 17.2K · ◷