Skip to content

[plan] Add missing permissions to test workflows #5871

New issue
New issue
Open
Open
[plan] Add missing permissions to test workflows#5871
Labels
ai-generatedplan
@github-actions

Description

@github-actions
github-actions
bot
opened on Dec 8, 2025

Objective

Add missing GitHub API permissions to 4 test workflows to prevent runtime permission errors.

Context

Severity: Warning
Tool: actionlint
Issue: Missing required permissions for github toolsets
Affected Workflows:

  • firewall-escape
  • smoke-srt-custom-config
  • smoke-srt
  • test-discussion-expires

These workflows may fail at runtime when they attempt GitHub API operations without the necessary permissions.

Approach

  1. Examine each workflow to understand what GitHub operations it performs
  2. Identify which toolsets are being used (likely github MCP server)
  3. Add the appropriate permissions to each workflow's frontmatter
  4. Recompile all affected workflows
  5. Verify with actionlint

Files to Modify

  • Edit: .github/workflows/firewall-escape.md
  • Edit: .github/workflows/smoke-srt-custom-config.md
  • Edit: .github/workflows/smoke-srt.md
  • Edit: .github/workflows/test-discussion-expires.md
  • Generated: Corresponding .lock.yml files (via recompile)

Common Permission Patterns

---
# In workflow frontmatter
permissions:
  contents: read      # Basic repository access
  issues: write       # If creating/modifying issues
  discussions: write  # If working with discussions (test-discussion-expires likely needs this)
  pull-requests: read # If reading PRs
---

Investigation Steps

  1. For each workflow, identify what GitHub API calls it makes:
    • Does it create/read issues?
    • Does it work with discussions?
    • Does it access repository contents?
    • Does it create/modify PRs?
  2. Map operations to required permissions
  3. Add minimal necessary permissions to frontmatter

Acceptance Criteria

  • Each workflow analyzed for required GitHub API operations
  • Appropriate permissions added to all 4 workflow source files
  • All workflows recompiled with make recompile
  • Actionlint shows no missing-permissions warnings
  • Workflows execute successfully without permission errors
  • No excessive permissions granted (follow least privilege)

Why This Matters

AI generated by Plan Command for discussion #5845

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-generatedplan

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions