From ff482901d926a2c9a96ecbaa0e223b8bb6f48bfe Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 4 Jul 2026 04:20:02 +0000 Subject: [PATCH 1/2] Initial plan From 2c0adce8591002c1c6a4990b18f1a7b895793af6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 4 Jul 2026 04:30:37 +0000 Subject: [PATCH 2/2] Fix all:read expansion to skip id-token in Set path Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- pkg/workflow/permissions_operations.go | 4 ++++ pkg/workflow/permissions_operations_test.go | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/pkg/workflow/permissions_operations.go b/pkg/workflow/permissions_operations.go index 9ab13e79c65..893e7727a5a 100644 --- a/pkg/workflow/permissions_operations.go +++ b/pkg/workflow/permissions_operations.go @@ -177,6 +177,10 @@ func (p *Permissions) Set(scope PermissionScope, level PermissionLevel) { // Expand all permissions to explicit permissions first for _, s := range GetAllPermissionScopes() { if _, exists := p.permissions[s]; !exists { + // id-token does not support the read level + if s == PermissionIdToken && p.allLevel == PermissionRead { + continue + } p.permissions[s] = p.allLevel } } diff --git a/pkg/workflow/permissions_operations_test.go b/pkg/workflow/permissions_operations_test.go index 8fdbc3d9601..f29f2d84cbd 100644 --- a/pkg/workflow/permissions_operations_test.go +++ b/pkg/workflow/permissions_operations_test.go @@ -88,6 +88,15 @@ func TestPermissionsSet(t *testing.T) { if !exists || level != PermissionWrite { t.Errorf("expected issues: write, got %v (exists: %v)", level, exists) } + + p3 := NewPermissionsAllRead() + p3.Set(PermissionCopilotRequests, PermissionWrite) + if _, exists := p3.Get(PermissionIdToken); exists { + t.Error("expected id-token to be excluded when converting all: read to explicit map") + } + if yaml := p3.RenderToYAML(); strings.Contains(yaml, "id-token: read") { + t.Errorf("RenderToYAML() should not contain id-token: read, got:\n%s", yaml) + } } // TestPermissionsSetPreservesShorthandPermissions verifies that calling Set() on a Permissions