Compare commits

...

2 Commits

Author SHA1 Message Date
Salman Muin Kayser Chishti 18f53d3c9e Include workflows in write-all when feature flag is enabled
The write-all permission level should include workflows:write when the
AllowWorkflowsPermission feature flag is enabled, matching the behavior
of other gated permissions like copilot-requests. Previously workflows
was unconditionally excluded from write-all. This aligns with the ADR
decision that write-all means permissive access.
2026-04-11 08:49:41 +01:00
Salman Muin Kayser Chishti 273538003e Add workflows permission scope to WorkflowParser
Add 'workflows' as a recognized permission scope for GITHUB_TOKEN,
gated behind AllowWorkflowsPermission feature flag.

Changes:
- Permissions.cs: Add Workflows property, copy constructor, comparison
  key mapping. Excluded from write-all/read-all bulk constructors.
- WorkflowTemplateConverter.cs: Parse 'workflows' permission with
  feature flag guard. Read downgrades to NoAccess (write-only scope).
- WorkflowFeatures.cs: Add AllowWorkflowsPermission flag, default false.
2026-04-10 23:33:55 +01:00
4 changed files with 52 additions and 11 deletions
@@ -32,7 +32,7 @@ namespace GitHub.Actions.WorkflowParser.Conversion
return;
}
var effectiveMax = explicitMax ?? CreatePermissionsFromPolicy(context, permissionsPolicy, includeIdToken: isTrusted, includeModels: context.GetFeatures().AllowModelsPermission);
var effectiveMax = explicitMax ?? CreatePermissionsFromPolicy(context, permissionsPolicy, includeIdToken: isTrusted, includeModels: context.GetFeatures().AllowModelsPermission, includeWorkflows: context.GetFeatures().AllowWorkflowsPermission);
if (requested.ViolatesMaxPermissions(effectiveMax, out var permissionLevelViolations))
{
@@ -59,7 +59,8 @@ namespace GitHub.Actions.WorkflowParser.Conversion
TemplateContext context,
string permissionsPolicy,
bool includeIdToken,
bool includeModels)
bool includeModels,
bool includeWorkflows)
{
switch (permissionsPolicy)
{
@@ -70,7 +71,7 @@ namespace GitHub.Actions.WorkflowParser.Conversion
Packages = PermissionLevel.Read,
};
case WorkflowConstants.PermissionsPolicy.Write:
return new Permissions(PermissionLevel.Write, includeIdToken: includeIdToken, includeAttestations: true, includeModels: includeModels);
return new Permissions(PermissionLevel.Write, includeIdToken: includeIdToken, includeAttestations: true, includeModels: includeModels, includeWorkflows: includeWorkflows);
default:
throw new ArgumentException($"Unexpected permission policy: '{permissionsPolicy}'");
}
@@ -1877,7 +1877,7 @@ namespace GitHub.Actions.WorkflowParser.Conversion
permissionsStr.AssertUnexpectedValue(permissionsStr.Value);
break;
}
return new Permissions(permissionLevel, includeIdToken: true, includeAttestations: true, includeModels: context.GetFeatures().AllowModelsPermission);
return new Permissions(permissionLevel, includeIdToken: true, includeAttestations: true, includeModels: context.GetFeatures().AllowModelsPermission, includeWorkflows: context.GetFeatures().AllowWorkflowsPermission);
}
var mapping = token.AssertMapping("permissions");
@@ -1957,6 +1957,24 @@ namespace GitHub.Actions.WorkflowParser.Conversion
context.Error(key, $"The permission 'models' is not allowed");
}
break;
case "workflows":
if (context.GetFeatures().AllowWorkflowsPermission)
{
// Workflows only supports write; downgrade read to none
if (permissionLevel == PermissionLevel.Read)
{
permissions.Workflows = PermissionLevel.NoAccess;
}
else
{
permissions.Workflows = permissionLevel;
}
}
else
{
context.Error(key, $"The permission 'workflows' is not allowed");
}
break;
default:
break;
}
+20 -6
View File
@@ -1,4 +1,4 @@
using System;
using System;
using System.Collections.Generic;
using System.Runtime.Serialization;
using GitHub.Actions.WorkflowParser.Conversion;
@@ -17,7 +17,7 @@ namespace GitHub.Actions.WorkflowParser
public Permissions(Permissions copy)
{
Actions = copy.Actions;
ArtifactMetadata = copy.ArtifactMetadata;
ArtifactMetadata = copy.ArtifactMetadata;
Attestations = copy.Attestations;
Checks = copy.Checks;
Contents = copy.Contents;
@@ -32,16 +32,18 @@ namespace GitHub.Actions.WorkflowParser
SecurityEvents = copy.SecurityEvents;
IdToken = copy.IdToken;
Models = copy.Models;
Workflows = copy.Workflows;
}
public Permissions(
PermissionLevel permissionLevel,
bool includeIdToken,
bool includeAttestations,
bool includeModels)
bool includeModels,
bool includeWorkflows = false)
{
Actions = permissionLevel;
ArtifactMetadata = permissionLevel;
ArtifactMetadata = permissionLevel;
Attestations = includeAttestations ? permissionLevel : PermissionLevel.NoAccess;
Checks = permissionLevel;
Contents = permissionLevel;
@@ -56,8 +58,12 @@ namespace GitHub.Actions.WorkflowParser
SecurityEvents = permissionLevel;
IdToken = includeIdToken ? permissionLevel : PermissionLevel.NoAccess;
// Models must not have higher permissions than Read
Models = includeModels
? (permissionLevel == PermissionLevel.Write ? PermissionLevel.Read : permissionLevel)
Models = includeModels
? (permissionLevel == PermissionLevel.Write ? PermissionLevel.Read : permissionLevel)
: PermissionLevel.NoAccess;
// Workflows is write-only, so only grant it when permissionLevel is Write
Workflows = includeWorkflows && permissionLevel == PermissionLevel.Write
? PermissionLevel.Write
: PermissionLevel.NoAccess;
}
@@ -81,6 +87,7 @@ namespace GitHub.Actions.WorkflowParser
new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("security-events", (left.SecurityEvents, right.SecurityEvents)),
new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("id-token", (left.IdToken, right.IdToken)),
new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("models", (left.Models, right.Models)),
new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("workflows", (left.Workflows, right.Workflows)),
};
}
@@ -196,6 +203,13 @@ namespace GitHub.Actions.WorkflowParser
set;
}
[DataMember(Name = "workflows", EmitDefaultValue = false)]
public PermissionLevel Workflows
{
get;
set;
}
public Permissions Clone()
{
return new Permissions(this);
+9 -1
View File
@@ -1,4 +1,4 @@
using System;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Reflection;
@@ -41,6 +41,13 @@ namespace GitHub.Actions.WorkflowParser
[DataMember(EmitDefaultValue = false)]
public bool AllowModelsPermission { get; set; }
/// <summary>
/// Gets or sets a value indicating whether users may use the "workflows" permission.
/// Used during parsing only.
/// </summary>
[DataMember(EmitDefaultValue = false)]
public bool AllowWorkflowsPermission { get; set; }
/// <summary>
/// Gets or sets a value indicating whether the expression function fromJson performs strict JSON parsing.
/// Used during evaluation only.
@@ -67,6 +74,7 @@ namespace GitHub.Actions.WorkflowParser
Snapshot = false, // Default to false since this feature is still in an experimental phase
StrictJsonParsing = false, // Default to false since this is temporary for telemetry purposes only
AllowModelsPermission = false, // Default to false since we want this to be disabled for all non-production environments
AllowWorkflowsPermission = false, // Default to false; gated by feature flag for controlled rollout
AllowServiceContainerCommand = false, // Default to false since this feature is gated by actions_service_container_command
};
}