From b5dcc244fe98dcb7b0c879404c6e71fcd621a7f1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 18 Feb 2026 19:10:03 +0000 Subject: [PATCH 1/2] Initial plan From a730de3e174855e9da06135d4cc038cc7b7e75f8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 18 Feb 2026 19:17:17 +0000 Subject: [PATCH 2/2] fix(ci): add actions:read to detection job permissions Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com> --- .github/workflows/build-test-bun.lock.yml | 3 ++- .github/workflows/build-test-cpp.lock.yml | 3 ++- .github/workflows/build-test-deno.lock.yml | 3 ++- .github/workflows/build-test-dotnet.lock.yml | 3 ++- .github/workflows/build-test-go.lock.yml | 3 ++- .github/workflows/build-test-java.lock.yml | 3 ++- .github/workflows/build-test-node.lock.yml | 3 ++- .github/workflows/build-test-rust.lock.yml | 3 ++- .../workflows/ci-cd-gaps-assessment.lock.yml | 3 ++- .github/workflows/ci-doctor.lock.yml | 3 ++- .../cli-flag-consistency-checker.lock.yml | 3 ++- .../dependency-security-monitor.lock.yml | 3 ++- .github/workflows/doc-maintainer.lock.yml | 3 ++- .../issue-duplication-detector.lock.yml | 3 ++- .github/workflows/issue-monster.lock.yml | 3 ++- .../pelis-agent-factory-advisor.lock.yml | 3 ++- .github/workflows/plan.lock.yml | 3 ++- .github/workflows/secret-digger-claude.lock.yml | 3 ++- .github/workflows/secret-digger-codex.lock.yml | 3 ++- .../workflows/secret-digger-copilot.lock.yml | 3 ++- .github/workflows/security-guard.lock.yml | 3 ++- .github/workflows/security-review.lock.yml | 3 ++- .github/workflows/smoke-chroot.lock.yml | 3 ++- .github/workflows/smoke-claude.lock.yml | 3 ++- .github/workflows/smoke-codex.lock.yml | 3 ++- .github/workflows/smoke-copilot.lock.yml | 3 ++- .../workflows/test-coverage-improver.lock.yml | 3 ++- .github/workflows/update-release-notes.lock.yml | 3 ++- scripts/ci/postprocess-smoke-workflows.ts | 17 +++++++++++++++++ 29 files changed, 73 insertions(+), 28 deletions(-) diff --git a/.github/workflows/build-test-bun.lock.yml b/.github/workflows/build-test-bun.lock.yml index 6c953d06..a972dfb0 100644 --- a/.github/workflows/build-test-bun.lock.yml +++ b/.github/workflows/build-test-bun.lock.yml @@ -897,7 +897,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/build-test-cpp.lock.yml b/.github/workflows/build-test-cpp.lock.yml index 34896b93..f05c8461 100644 --- a/.github/workflows/build-test-cpp.lock.yml +++ b/.github/workflows/build-test-cpp.lock.yml @@ -897,7 +897,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/build-test-deno.lock.yml b/.github/workflows/build-test-deno.lock.yml index 8aa00ece..4d06e365 100644 --- a/.github/workflows/build-test-deno.lock.yml +++ b/.github/workflows/build-test-deno.lock.yml @@ -897,7 +897,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/build-test-dotnet.lock.yml b/.github/workflows/build-test-dotnet.lock.yml index 80b9ea9d..bbafd88a 100644 --- a/.github/workflows/build-test-dotnet.lock.yml +++ b/.github/workflows/build-test-dotnet.lock.yml @@ -901,7 +901,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/build-test-go.lock.yml b/.github/workflows/build-test-go.lock.yml index d698b3a9..935a83bf 100644 --- a/.github/workflows/build-test-go.lock.yml +++ b/.github/workflows/build-test-go.lock.yml @@ -903,7 +903,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/build-test-java.lock.yml b/.github/workflows/build-test-java.lock.yml index dcf36779..01d824de 100644 --- a/.github/workflows/build-test-java.lock.yml +++ b/.github/workflows/build-test-java.lock.yml @@ -902,7 +902,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/build-test-node.lock.yml b/.github/workflows/build-test-node.lock.yml index 4ced4b1e..aa10203a 100644 --- a/.github/workflows/build-test-node.lock.yml +++ b/.github/workflows/build-test-node.lock.yml @@ -902,7 +902,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/build-test-rust.lock.yml b/.github/workflows/build-test-rust.lock.yml index df5b16d2..219dad58 100644 --- a/.github/workflows/build-test-rust.lock.yml +++ b/.github/workflows/build-test-rust.lock.yml @@ -898,7 +898,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/ci-cd-gaps-assessment.lock.yml b/.github/workflows/ci-cd-gaps-assessment.lock.yml index fbe4c616..a236a528 100644 --- a/.github/workflows/ci-cd-gaps-assessment.lock.yml +++ b/.github/workflows/ci-cd-gaps-assessment.lock.yml @@ -918,7 +918,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index ba82eeac..a1f2ee3d 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -1007,7 +1007,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/cli-flag-consistency-checker.lock.yml b/.github/workflows/cli-flag-consistency-checker.lock.yml index b5a9a24b..ab45743a 100644 --- a/.github/workflows/cli-flag-consistency-checker.lock.yml +++ b/.github/workflows/cli-flag-consistency-checker.lock.yml @@ -873,7 +873,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/dependency-security-monitor.lock.yml b/.github/workflows/dependency-security-monitor.lock.yml index 440a0b21..0b7f4868 100644 --- a/.github/workflows/dependency-security-monitor.lock.yml +++ b/.github/workflows/dependency-security-monitor.lock.yml @@ -1015,7 +1015,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/doc-maintainer.lock.yml b/.github/workflows/doc-maintainer.lock.yml index c85507b4..5caed11a 100644 --- a/.github/workflows/doc-maintainer.lock.yml +++ b/.github/workflows/doc-maintainer.lock.yml @@ -901,7 +901,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/issue-duplication-detector.lock.yml b/.github/workflows/issue-duplication-detector.lock.yml index 30a1a959..7ccb4105 100644 --- a/.github/workflows/issue-duplication-detector.lock.yml +++ b/.github/workflows/issue-duplication-detector.lock.yml @@ -886,7 +886,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 7b4b3a11..97b03272 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -928,7 +928,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/pelis-agent-factory-advisor.lock.yml b/.github/workflows/pelis-agent-factory-advisor.lock.yml index aaaf0111..9fe3423a 100644 --- a/.github/workflows/pelis-agent-factory-advisor.lock.yml +++ b/.github/workflows/pelis-agent-factory-advisor.lock.yml @@ -942,7 +942,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml index 7c4d2259..7422d165 100644 --- a/.github/workflows/plan.lock.yml +++ b/.github/workflows/plan.lock.yml @@ -991,7 +991,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/secret-digger-claude.lock.yml b/.github/workflows/secret-digger-claude.lock.yml index fbae147a..2987b53d 100644 --- a/.github/workflows/secret-digger-claude.lock.yml +++ b/.github/workflows/secret-digger-claude.lock.yml @@ -985,7 +985,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read concurrency: group: "gh-aw-claude-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/secret-digger-codex.lock.yml b/.github/workflows/secret-digger-codex.lock.yml index 810e73fb..22bb7048 100644 --- a/.github/workflows/secret-digger-codex.lock.yml +++ b/.github/workflows/secret-digger-codex.lock.yml @@ -941,7 +941,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read concurrency: group: "gh-aw-codex-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/secret-digger-copilot.lock.yml b/.github/workflows/secret-digger-copilot.lock.yml index f9f12514..f7c65ab3 100644 --- a/.github/workflows/secret-digger-copilot.lock.yml +++ b/.github/workflows/secret-digger-copilot.lock.yml @@ -932,7 +932,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml index 93a81398..d60b6a62 100644 --- a/.github/workflows/security-guard.lock.yml +++ b/.github/workflows/security-guard.lock.yml @@ -907,7 +907,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index b947b714..6c0641dc 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -943,7 +943,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/smoke-chroot.lock.yml b/.github/workflows/smoke-chroot.lock.yml index 81014fa8..69184394 100644 --- a/.github/workflows/smoke-chroot.lock.yml +++ b/.github/workflows/smoke-chroot.lock.yml @@ -964,7 +964,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 89250c0e..5e88498b 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1063,7 +1063,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index 526b5cd7..ac8b3b65 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -1653,7 +1653,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 7e52d161..ecb43aa5 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -990,7 +990,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read timeout-minutes: 10 outputs: success: ${{ steps.parse_results.outputs.success }} diff --git a/.github/workflows/test-coverage-improver.lock.yml b/.github/workflows/test-coverage-improver.lock.yml index d2a6ece0..78ddda32 100644 --- a/.github/workflows/test-coverage-improver.lock.yml +++ b/.github/workflows/test-coverage-improver.lock.yml @@ -969,7 +969,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/.github/workflows/update-release-notes.lock.yml b/.github/workflows/update-release-notes.lock.yml index 4bf701a2..0f85acb1 100644 --- a/.github/workflows/update-release-notes.lock.yml +++ b/.github/workflows/update-release-notes.lock.yml @@ -901,7 +901,8 @@ jobs: needs: agent if: needs.agent.outputs.output_types != '' || needs.agent.outputs.has_patch == 'true' runs-on: ubuntu-latest - permissions: {} + permissions: + actions: read concurrency: group: "gh-aw-copilot-${{ github.workflow }}" timeout-minutes: 10 diff --git a/scripts/ci/postprocess-smoke-workflows.ts b/scripts/ci/postprocess-smoke-workflows.ts index 8cf3a2df..7c92889e 100644 --- a/scripts/ci/postprocess-smoke-workflows.ts +++ b/scripts/ci/postprocess-smoke-workflows.ts @@ -94,6 +94,12 @@ const shallowDepthRegex = /^(\s+)depth: 1\n/gm; // instead of pre-built GHCR images that may be stale. const imageTagRegex = /--image-tag\s+[0-9.]+\s+--skip-pull/g; +// Fix detection job permissions: the compiler generates `permissions: {}` but +// the detection job needs `actions: read` to download artifacts from the agent job. +// Match only the detection job's permissions (indented under ` detection:`), not +// the workflow-level `permissions: {}`. +const detectionPermissionsRegex = /^( detection:\n(?: .+\n)*?) permissions: \{\}/m; + for (const workflowPath of workflowPaths) { let content = fs.readFileSync(workflowPath, 'utf-8'); let modified = false; @@ -139,6 +145,17 @@ for (const workflowPath of workflowPaths) { console.log(` Replaced ${imageTagMatches.length} --image-tag/--skip-pull with --build-local`); } + // Fix detection job permissions: add actions: read for artifact downloads + const detectionMatch = content.match(detectionPermissionsRegex); + if (detectionMatch) { + content = content.replace( + detectionPermissionsRegex, + '$1 permissions:\n actions: read' + ); + modified = true; + console.log(` Fixed detection job permissions (added actions: read)`); + } + if (modified) { fs.writeFileSync(workflowPath, content); console.log(`Updated ${workflowPath}`);