github · Copilot · Feb 18, 2026 · Feb 18, 2026
diff --git a/.github/workflows/build-test-bun.lock.yml b/.github/workflows/build-test-bun.lock.yml
diff --git a/.github/workflows/build-test-cpp.lock.yml b/.github/workflows/build-test-cpp.lock.yml
diff --git a/.github/workflows/build-test-deno.lock.yml b/.github/workflows/build-test-deno.lock.yml
diff --git a/.github/workflows/build-test-dotnet.lock.yml b/.github/workflows/build-test-dotnet.lock.yml
diff --git a/.github/workflows/build-test-go.lock.yml b/.github/workflows/build-test-go.lock.yml
diff --git a/.github/workflows/build-test-java.lock.yml b/.github/workflows/build-test-java.lock.yml
diff --git a/.github/workflows/build-test-node.lock.yml b/.github/workflows/build-test-node.lock.yml
diff --git a/.github/workflows/build-test-rust.lock.yml b/.github/workflows/build-test-rust.lock.yml
diff --git a/.github/workflows/ci-cd-gaps-assessment.lock.yml b/.github/workflows/ci-cd-gaps-assessment.lock.yml
diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml
diff --git a/.github/workflows/cli-flag-consistency-checker.lock.yml b/.github/workflows/cli-flag-consistency-checker.lock.yml
diff --git a/.github/workflows/dependency-security-monitor.lock.yml b/.github/workflows/dependency-security-monitor.lock.yml
diff --git a/.github/workflows/doc-maintainer.lock.yml b/.github/workflows/doc-maintainer.lock.yml
diff --git a/.github/workflows/issue-duplication-detector.lock.yml b/.github/workflows/issue-duplication-detector.lock.yml
diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml
diff --git a/.github/workflows/pelis-agent-factory-advisor.lock.yml b/.github/workflows/pelis-agent-factory-advisor.lock.yml
diff --git a/.github/workflows/plan.lock.yml b/.github/workflows/plan.lock.yml
diff --git a/.github/workflows/secret-digger-claude.lock.yml b/.github/workflows/secret-digger-claude.lock.yml
diff --git a/.github/workflows/secret-digger-codex.lock.yml b/.github/workflows/secret-digger-codex.lock.yml
diff --git a/.github/workflows/secret-digger-copilot.lock.yml b/.github/workflows/secret-digger-copilot.lock.yml
diff --git a/.github/workflows/security-guard.lock.yml b/.github/workflows/security-guard.lock.yml
diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml
diff --git a/.github/workflows/smoke-chroot.lock.yml b/.github/workflows/smoke-chroot.lock.yml
diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml
diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml
diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml
diff --git a/.github/workflows/test-coverage-improver.lock.yml b/.github/workflows/test-coverage-improver.lock.yml
diff --git a/.github/workflows/update-release-notes.lock.yml b/.github/workflows/update-release-notes.lock.yml
diff --git a/scripts/ci/postprocess-smoke-workflows.ts b/scripts/ci/postprocess-smoke-workflows.ts
@@ -94,6 +94,12 @@ const shallowDepthRegex = /^(\s+)depth: 1\n/gm;
 // instead of pre-built GHCR images that may be stale.
 const imageTagRegex = /--image-tag\s+[0-9.]+\s+--skip-pull/g;
 
+// Fix detection job permissions: the compiler generates `permissions: {}` but
+// the detection job needs `actions: read` to download artifacts from the agent job.
+// Match only the detection job's permissions (indented under `  detection:`), not
+// the workflow-level `permissions: {}`.
+const detectionPermissionsRegex = /^(  detection:\n(?:    .+\n)*?)    permissions: \{\}/m;
+
 for (const workflowPath of workflowPaths) {
   let content = fs.readFileSync(workflowPath, 'utf-8');
   let modified = false;
@@ -139,6 +145,17 @@ for (const workflowPath of workflowPaths) {
     console.log(`  Replaced ${imageTagMatches.length} --image-tag/--skip-pull with --build-local`);
   }
 
+  // Fix detection job permissions: add actions: read for artifact downloads
+  const detectionMatch = content.match(detectionPermissionsRegex);
+  if (detectionMatch) {
+    content = content.replace(
+      detectionPermissionsRegex,
+      '$1    permissions:\n      actions: read'
+    );
+    modified = true;
+    console.log(`  Fixed detection job permissions (added actions: read)`);
+  }
+
   if (modified) {
     fs.writeFileSync(workflowPath, content);
     console.log(`Updated ${workflowPath}`);