Consolidate copilot-requests: write permission checks on Permissions#44650
Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
copilot-requests: write permission checks on Permissions
|
✅ PR Code Quality Reviewer completed the code quality review. |
|
✅ Design Decision Gate 🏗️ completed the design decision gate check. |
|
🧠 Matt Pocock Skills Reviewer has completed the skills-based review. ✅ |
|
✅ Test Quality Sentinel completed test quality analysis. |
There was a problem hiding this comment.
Clean, well-scoped refactor. The nil guard on HasCopilotRequestsWrite() is correct, the shouldEmitCopilotRequestsEnableTip semantics are preserved (existing explicit-none early return still fires before the helper), and test coverage addresses all meaningful cases. No blocking issues.
🧵 Reviewed using Impeccable skills by Impeccable Skills Reviewer · 9.63 AIC · ⌖ 5.37 AIC · ⊞ 4.8K
There was a problem hiding this comment.
Clean consolidation. Logic equivalence verified for all three call sites — the explicit PermissionNone early-return guard in shouldEmitCopilotRequestsEnableTip is preserved, nil safety is properly handled by the new method. Test coverage is thorough.
🔎 Code quality review by PR Code Quality Reviewer · 10 AIC · ⌖ 4.28 AIC · ⊞ 5.4K
Comment /review to run again
There was a problem hiding this comment.
Pull request overview
This pull request consolidates the copilot-requests: write permission gate into a single (*Permissions).HasCopilotRequestsWrite() helper so workflow execution, compiler tip emission, and CLI secret detection all share the same permission-resolution logic (including nil-safe handling).
Changes:
- Added
(*Permissions).HasCopilotRequestsWrite()and routed workflow-level checks through it. - Updated compiler tip gating to use the shared helper while keeping the explicit
copilot-requests: noneoverride behavior. - Updated CLI workflow secret detection to use the shared helper, and added focused unit tests covering shorthand/explicit/nil/override cases.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/permissions_operations.go | Adds HasCopilotRequestsWrite() and reuses it from the workflow permission gate. |
| pkg/workflow/permissions_operations_test.go | Adds unit tests for HasCopilotRequestsWrite() across shorthand, explicit, nil, and override scenarios. |
| pkg/workflow/permissions_compiler_validator.go | Switches Copilot enablement tip logic to use HasCopilotRequestsWrite() (retaining explicit none suppression). |
| pkg/workflow/compiler_validators_test.go | Adds validator-level tests to ensure the Copilot enablement tip emits/suppresses under the expected permission conditions. |
| pkg/cli/workflow_secrets.go | Routes CLI secret requirement filtering through HasCopilotRequestsWrite() after frontmatter parsing. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 5/5 changed files
- Comments generated: 0
- Review effort level: Low
There was a problem hiding this comment.
Skills-Based Review 🧠
Applied /codebase-design — approving with one minor observation.
📋 Key Themes & Highlights
Key Themes
- Deep module:
HasCopilotRequestsWrite()centralises the check correctly and handles nil safely — a good deepening move. - Consistent pattern: follows the same shape as the existing
HasContentsReadAccess(). - Semantic equivalence preserved: the
shouldEmitCopilotRequestsEnableTiprefactor keeps the explicit-noneguard before delegating to the new helper, so the logic is unchanged.
Positive Highlights
- ✅ Nil-receiver guard in
HasCopilotRequestsWrite()makes callers simpler. - ✅ New tests cover nil, shorthand write-all, read-all, explicit write, explicit none, and the override case — solid specification coverage.
- ✅ The unexported
hasCopilotRequestsWritePermissionwrapper stays separate and correctly handles theCachedPermissionsfallback concern.
Minor Observation
The new TestPermissions_HasCopilotRequestsWrite test uses bare t.Errorf while the sibling TestShouldEmitCopilotRequestsEnableTip (added in the same PR) uses assert.Equal. Not blocking, but aligning both to assert.Equal would match the project's dominant style.
🧠 Reviewed using Matt Pocock's skills by Matt Pocock Skills Reviewer · 17.8 AIC · ⌖ 4.39 AIC · ⊞ 6.6K
Comment /matt to run again
🧪 Test Quality Sentinel Report✅ Test Quality Score: 95/100 — Excellent
📊 Metrics (2 tests)
Both tests are table-driven and cover nil inputs, positive paths, and explicit-override edge cases (e.g., Verdict
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Design Decision Gate - ADR RequiredThis PR makes significant changes to core business logic (134 new lines in Draft ADR committed: This PR cannot merge until an ADR is linked in the PR body. What to do next
Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision. Why ADRs MatterADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you. Michael Nygard ADR Format ReferenceAn ADR must contain these four sections to be considered complete:
All ADRs are stored in
|
|
🎉 This pull request is included in a new release. Release: |
The
copilot-requests: writegate was implemented three times across workflow and CLI paths, with each call site re-deriving the samePermissionslookup. This change moves the check onto*Permissionsso all callers share one source of truth for Copilot token-auth enablement.Shared permission helper
(*Permissions).HasCopilotRequestsWrite()to centralize thecopilot-requests: writecheck, including safe nil handling.Call site consolidation
noneoverride behavior.Coverage