Add discussions permission to GitHub App token for safe-outputs

[Copilot]

GitHub App tokens were missing permission-discussions: write, causing "Create discussion requires permissions discussions write" errors when workflows used safe-outputs.create-discussion with GitHub App authentication.

Changes

pkg/workflow/safe_outputs_app.go

• Added discussions permission mapping in convertPermissionsToAppTokenFields():

  if level, ok := permissions.Get(PermissionDiscussions); ok {
      fields["permission-discussions"] = string(level)
  }

• Removed incorrect comment claiming discussions permissions aren't supported by GitHub Apps

pkg/workflow/safe_outputs_app_test.go

• Added TestSafeOutputsAppTokenDiscussionsPermission to verify discussions permission appears in generated GitHub App token step

Compiled workflows

• Recompiled workflows now include permission-discussions: write in GitHub App token minting steps when needed

Example

Before this fix, workflows with:

safe-outputs:
  create-discussion:
  app:
    app-id: ${{ vars.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}

Would generate GitHub App token steps missing the discussions permission, causing runtime failures. Now the permission is correctly included:

- name: Generate GitHub App token
  uses: actions/create-github-app-token@...
  with:
    permission-contents: read
    permission-discussions: write  # ← Now included

Note on actions/create-github-app-token Support

While issue #307 indicates that permission-discussions is not in the action's documented input list, this fix applies the permission parameter anyway. The GitHub App itself must have Discussions permission granted in its settings for this to work properly.

Original prompt

Reference: https://github.com/githubnext/gh-aw/actions/runs/20474207468/job/58835675532#step:7:1

Create discussion requires permissions discussions write

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[pelikhan]

@copilot review the source code of actions/create-github-app-token and check that discussions are supported.

[Copilot]

@copilot review the source code of actions/create-github-app-token and check that discussions are supported.

After reviewing the source code of actions/create-github-app-token, I found that permission-discussions is not supported by the action. The action only supports permission-team-discussions (for team discussions), not repository discussions.

This is confirmed by issue #307 where someone tried to use it and got a warning about unexpected input.

Root cause: The error "Create discussion requires permissions discussions write" occurs because the GitHub App itself doesn't have Discussions permission granted in its settings, not because the workflow is missing a permission parameter.

Solution: The GitHub App needs to be configured directly in GitHub settings:

1. Go to the GitHub App settings
2. Grant "Discussions: Read & Write" permission under Repository permissions
3. Users will need to approve the new permission

I've reverted my changes in commit b2d6d6c since the previous fix would have caused warnings/failures.

[pelikhan]

@copilot merge main

[Copilot]

@copilot merge main

Merged main branch successfully in commit 79aefeb. The merge completed with no conflicts and all tests pass.

[pelikhan]

@copilot re-apply original fix

[Copilot]

@copilot re-apply original fix

Re-applied the original fix in commit 4399a40. The changes add permission-discussions mapping in convertPermissionsToAppTokenFields() and all workflows have been recompiled to include the permission. All tests pass.