github · pelikhan · Dec 24, 2025 · Dec 24, 2025 · Dec 24, 2025 · Dec 24, 2025
diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml
diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml
diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml
diff --git a/.github/workflows/issue-classifier.lock.yml b/.github/workflows/issue-classifier.lock.yml
diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml
diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml
diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml
diff --git a/pkg/workflow/safe_outputs_app.go b/pkg/workflow/safe_outputs_app.go
@@ -218,9 +218,11 @@ func convertPermissionsToAppTokenFields(permissions *Permissions) map[string]str
 	if level, ok := permissions.Get(PermissionOrganizationProj); ok {
 		fields["permission-organization-projects"] = string(level)
 	}
+	if level, ok := permissions.Get(PermissionDiscussions); ok {
+		fields["permission-discussions"] = string(level)
+	}
 
 	// Note: The following GitHub Actions permissions do NOT have GitHub App equivalents:
-	// - discussions (no GitHub App permission for this)
 	// - models (no GitHub App permission for this)
 	// - id-token (not applicable to GitHub Apps)
 	// - attestations (no GitHub App permission for this)

diff --git a/pkg/workflow/safe_outputs_app_test.go b/pkg/workflow/safe_outputs_app_test.go
@@ -204,3 +204,46 @@ Test workflow without safe outputs.
 	require.NoError(t, err, "Failed to parse markdown content")
 	assert.Nil(t, workflowData.SafeOutputs, "SafeOutputs should be nil")
 }
+
+// TestSafeOutputsAppTokenDiscussionsPermission tests that discussions permission is included
+func TestSafeOutputsAppTokenDiscussionsPermission(t *testing.T) {
+	compiler := NewCompiler(false, "", "1.0.0")
+
+	markdown := `---
+on: issues
+safe-outputs:
+  create-discussion:
+    category: "General"
+  app:
+    app-id: ${{ vars.APP_ID }}
+    private-key: ${{ secrets.APP_PRIVATE_KEY }}
+---
+
+# Test Workflow
+
+Test workflow with discussions permission.
+`
+
+	// Create a temporary test file
+	tmpDir := t.TempDir()
+	testFile := filepath.Join(tmpDir, "test.md")
+	err := os.WriteFile(testFile, []byte(markdown), 0644)
+	require.NoError(t, err, "Failed to write test file")
+
+	workflowData, err := compiler.ParseWorkflowFile(testFile)
+	require.NoError(t, err, "Failed to parse markdown content")
+	require.NotNil(t, workflowData.SafeOutputs, "SafeOutputs should not be nil")
+	require.NotNil(t, workflowData.SafeOutputs.CreateDiscussions, "CreateDiscussions should not be nil")
+
+	// Build the consolidated safe_outputs job
+	job, _, err := compiler.buildConsolidatedSafeOutputsJob(workflowData, "main", testFile)
+	require.NoError(t, err, "Failed to build safe_outputs job")
+	require.NotNil(t, job, "Job should not be nil")
+
+	// Convert steps to string for easier assertion
+	stepsStr := strings.Join(job.Steps, "")
+
+	// Verify that permission-discussions: write is included in the GitHub App token minting step
+	assert.Contains(t, stepsStr, "permission-discussions: write", "GitHub App token should include discussions write permission")
+	assert.Contains(t, stepsStr, "permission-contents: read", "GitHub App token should include contents read permission")
+}