gh-aw: GitHub App token narrowing omits Dependabot alerts permission for GitHub MCP (403 on list_dependabot_alerts) #17978
Description
Summary
When using GitHub App auth for tools.github with least-privilege workflow permissions, the compiled workflow narrows the app token to contents, pull-requests, and security-events read.
Dependabot alert reads then fail with:
403 Resource not accessible by integration
on GET /repos/{owner}/{repo}/dependabot/alerts
Impact
github-list_dependabot_alerts fails in agent runs
CodeQL (list_code_scanning_alerts) can still succeed
Security remediation workflows fail preflight even though app installation has Dependabot access
Reproduction
Configure workflow with:
tools.github.app (GitHub App auth)
toolsets including dependabot and code_security
least-privilege permissions (contents: read, pull-requests: read, security-events: read)
Compile and run workflow.
Observe:
github-list_dependabot_alerts -> 403
github-list_code_scanning_alerts -> success
Actual
Compiled lockfile token mint step includes:
permission-contents: read
permission-pull-requests: read
permission-security-events: read
No dependabot-alerts permission
Expected
If dependabot toolset is enabled, token narrowing should also request Dependabot alerts read permission.
Root Cause
Current permission mapping/token narrowing does not include a Dependabot-specific permission when dependabot toolset is used.
Proposed Fix
Add Dependabot alerts permission to narrowed GitHub App token generation when dependabot toolset is active, e.g.:
permission-dependabot-alerts: read (or equivalent supported permission key)
Also update frontmatter/compiler schema so least-privilege workflows can explicitly declare Dependabot alerts read without requiring broader permission workarounds.