Add workflows permission scope to WorkflowParser#4338
Draft
Add workflows permission scope to WorkflowParser#4338
workflows permission scope to WorkflowParser#4338Conversation
Add 'workflows' as a recognized permission scope for GITHUB_TOKEN, gated behind AllowWorkflowsPermission feature flag. Changes: - Permissions.cs: Add Workflows property, copy constructor, comparison key mapping. Excluded from write-all/read-all bulk constructors. - WorkflowTemplateConverter.cs: Parse 'workflows' permission with feature flag guard. Read downgrades to NoAccess (write-only scope). - WorkflowFeatures.cs: Add AllowWorkflowsPermission flag, default false.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds support for a new permissions: workflows: write scope in the WorkflowParser, gated behind a new AllowWorkflowsPermission feature flag, and ensures the scope is excluded from read-all/write-all bulk permission construction.
Changes:
- Added
AllowWorkflowsPermissiontoWorkflowFeaturesdefaults (off by default). - Added
Workflowsto thePermissionsmodel, including cloning and max-permission comparison mapping. - Updated
WorkflowTemplateConverter.ConvertToPermissions()to parseworkflowsunder a feature flag and treatreadasnone.
Show a summary per file
| File | Description |
|---|---|
| src/Sdk/WorkflowParser/WorkflowFeatures.cs | Introduces AllowWorkflowsPermission feature flag (default disabled). |
| src/Sdk/WorkflowParser/Permissions.cs | Adds the Workflows permission field and includes it in cloning/comparison logic; keeps it excluded from bulk constructors. |
| src/Sdk/WorkflowParser/Conversion/WorkflowTemplateConverter.cs | Adds parsing logic for permissions.workflows gated by AllowWorkflowsPermission. |
Copilot's findings
- Files reviewed: 3/3 changed files
- Comments generated: 1
Comment on lines
+1963
to
+1970
| // Workflows only supports write; downgrade read to none | ||
| if (permissionLevel == PermissionLevel.Read) | ||
| { | ||
| permissions.Workflows = PermissionLevel.NoAccess; | ||
| } | ||
| else | ||
| { | ||
| permissions.Workflows = permissionLevel; |
There was a problem hiding this comment.
workflows is not currently declared in the workflow schema (src/Sdk/WorkflowParser/workflow-v1.0.json under permissions-mapping.properties). With the current schema, TemplateReader will treat workflows as an unexpected key and skip it, so this case "workflows" block is effectively unreachable even when AllowWorkflowsPermission is enabled. Update the schema to include workflows (and align the allowed value type with the intended behavior, e.g., whether read should be accepted and downgraded or rejected by schema).
Suggested change
| // Workflows only supports write; downgrade read to none | |
| if (permissionLevel == PermissionLevel.Read) | |
| { | |
| permissions.Workflows = PermissionLevel.NoAccess; | |
| } | |
| else | |
| { | |
| permissions.Workflows = permissionLevel; | |
| // Workflows only supports write. | |
| if (permissionLevel == PermissionLevel.Write) | |
| { | |
| permissions.Workflows = permissionLevel; | |
| } | |
| else | |
| { | |
| context.Error(key, $"The permission 'workflows' only supports 'write'"); |
The write-all permission level should include workflows:write when the AllowWorkflowsPermission feature flag is enabled, matching the behavior of other gated permissions like copilot-requests. Previously workflows was unconditionally excluded from write-all. This aligns with the ADR decision that write-all means permissive access.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
workflowsas a recognized permission scope forGITHUB_TOKEN, gated behind theAllowWorkflowsPermissionfeature flag.This enables workflow authors to declare
permissions: workflows: writeso the token can update workflow files, once the feature flag is enabled.Changes
Permissions.csWorkflowsproperty with[DataMember(Name = "workflows")]ComparisonKeyMappingNoAccess) — this is a security-sensitive scope that must be explicitly requestedWorkflowTemplateConverter.cscase "workflows":inConvertToPermissions()AllowWorkflowsPermissionfeature flag (same pattern asmodels)readdowngrades toNoAccesssinceworkflowsis a write-only scopeWorkflowFeatures.csAllowWorkflowsPermissionproperty (bool, defaultfalse)GetDefaults()Design Decisions
AllowWorkflowsPermissiondefaults tofalsefor controlled rolloutworkflowsis NOT included inwrite-all/read-all(too security-sensitive — must be explicitly declared)permissions: workflows: readdowngrades toNoAccesssince the GitHub API only supportswritefor this scopeTesting
Related