Skip to content

Comments

Add discussions permission to GitHub App token for safe-outputs#7455

Merged
pelikhan merged 6 commits intomainfrom
copilot/fix-discussion-permissions-issue
Dec 24, 2025
Merged

Add discussions permission to GitHub App token for safe-outputs#7455
pelikhan merged 6 commits intomainfrom
copilot/fix-discussion-permissions-issue

Conversation

Copy link
Contributor

Copilot AI commented Dec 24, 2025
edited
Loading

GitHub App tokens were missing permission-discussions: write, causing "Create discussion requires permissions discussions write" errors when workflows used safe-outputs.create-discussion with GitHub App authentication.

Changes

pkg/workflow/safe_outputs_app.go

  • Added discussions permission mapping in convertPermissionsToAppTokenFields(): 
    if level, ok := permissions.Get(PermissionDiscussions); ok {
    fields["permission-discussions"] = string(level)
}
  • Removed incorrect comment claiming discussions permissions aren't supported by GitHub Apps

pkg/workflow/safe_outputs_app_test.go

  • Added TestSafeOutputsAppTokenDiscussionsPermission to verify discussions permission appears in generated GitHub App token step

Compiled workflows

  • Recompiled workflows now include permission-discussions: write in GitHub App token minting steps when needed

Example

Before this fix, workflows with:

safe-outputs:
  create-discussion:
  app:
    app-id: ${{ vars.APP_ID }}
    private-key: ${{ secrets.APP_PRIVATE_KEY }}

Would generate GitHub App token steps missing the discussions permission, causing runtime failures. Now the permission is correctly included:

- name: Generate GitHub App token
  uses: actions/create-github-app-token@...
  with:
    permission-contents: read
    permission-discussions: write  # ← Now included

Note on actions/create-github-app-token Support

While issue #307 indicates that permission-discussions is not in the action's documented input list, this fix applies the permission parameter anyway. The GitHub App itself must have Discussions permission granted in its settings for this to work properly.

Original prompt

Reference: https://github.com/githubnext/gh-aw/actions/runs/20474207468/job/58835675532#step:7:1

Create discussion requires permissions discussions write

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI self-assigned this Dec 24, 2025
Copilot AI and others added 2 commits December 24, 2025 00:28
@pelikhan
Add discussions permission to GitHub App token for safe outputs
5afd5fd 
Fixes issue where creating discussions with GitHub App auth failed with
"Create discussion requires permissions discussions write" error.

The problem was in safe_outputs_app.go where convertPermissionsToAppTokenFields
incorrectly excluded discussions permission, believing it wasn't supported by
GitHub Apps. GitHub Apps DO support discussions permissions.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Final validation complete - fix is working correctly
5f38c0d 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Copy link
Contributor

pelikhan commented Dec 24, 2025

@copilot review the source code of actions/create-github-app-token and check that discussions are supported.

Copilot AI changed the title [WIP] Fix discussion creation permissions issue Add discussions permission to GitHub App token for safe-outputs Dec 24, 2025
Copilot AI requested a review from pelikhan December 24, 2025 00:38
@pelikhan
Revert discussions permission changes - not supported by action
b2d6d6c 
After reviewing actions/create-github-app-token source code, permission-discussions
is not a valid input (see issue #307). The action only supports permission-team-discussions,
not repository discussions. The original comment was correct - discussions permissions
cannot be requested via the action's permission-* inputs.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 24, 2025

@copilot review the source code of actions/create-github-app-token and check that discussions are supported.

After reviewing the source code of actions/create-github-app-token, I found that permission-discussions is not supported by the action. The action only supports permission-team-discussions (for team discussions), not repository discussions.

This is confirmed by issue #307 where someone tried to use it and got a warning about unexpected input.

Root cause: The error "Create discussion requires permissions discussions write" occurs because the GitHub App itself doesn't have Discussions permission granted in its settings, not because the workflow is missing a permission parameter.

Solution: The GitHub App needs to be configured directly in GitHub settings:

  1. Go to the GitHub App settings
  2. Grant "Discussions: Read & Write" permission under Repository permissions
  3. Users will need to approve the new permission

I've reverted my changes in commit b2d6d6c since the previous fix would have caused warnings/failures.

Copilot AI changed the title Add discussions permission to GitHub App token for safe-outputs Revert incorrect discussions permission fix - not supported by actions/create-github-app-token Dec 24, 2025
@pelikhan pelikhan closed this Dec 24, 2025
@pelikhan pelikhan reopened this Dec 24, 2025
@pelikhan
Copy link
Contributor

pelikhan commented Dec 24, 2025

@copilot merge main

Copy link
Contributor Author

Copilot AI commented Dec 24, 2025

@copilot merge main

Merged main branch successfully in commit 79aefeb. The merge completed with no conflicts and all tests pass.

@pelikhan
Copy link
Contributor

pelikhan commented Dec 24, 2025

@copilot re-apply original fix

@pelikhan
Re-apply original fix: Add discussions permission to GitHub App token
4399a40 
Re-applied the original fix from commit 5afd5fd that adds permission-discussions
support to GitHub App tokens. This enables creating discussions when using
GitHub App authentication with safe-outputs.

Changes:
- Added discussions permission mapping in convertPermissionsToAppTokenFields()
- Removed discussions from the list of unsupported permissions
- Added test to verify permission-discussions appears in generated workflows
- Recompiled all workflows to include permission-discussions parameter

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Dec 24, 2025

@copilot re-apply original fix

Re-applied the original fix in commit 4399a40. The changes add permission-discussions mapping in convertPermissionsToAppTokenFields() and all workflows have been recompiled to include the permission. All tests pass.

Copilot AI changed the title Revert incorrect discussions permission fix - not supported by actions/create-github-app-token Add discussions permission to GitHub App token for safe-outputs Dec 24, 2025
@pelikhan pelikhan marked this pull request as ready for review December 24, 2025 16:31
@pelikhan pelikhan merged commit 3676218 into main Dec 24, 2025
9 checks passed
@pelikhan pelikhan deleted the copilot/fix-discussion-permissions-issue branch December 24, 2025 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

ai-inspected

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan