Skip to content

Revert "Updating permissions for agentic workflows"#39073

Merged
jeremymeng merged 1 commit into
mainfrom
revert-39071-copilot/update-agentic-workflows-permission
Jun 24, 2026
Merged

Revert "Updating permissions for agentic workflows"#39073
jeremymeng merged 1 commit into
mainfrom
revert-39071-copilot/update-agentic-workflows-permission

Conversation

@xirzec

@xirzec xirzec commented Jun 24, 2026

Copy link
Copy Markdown
Member

Reverts #39071

same error as last time 400 400 checking server-to-server token: bad request: GitHub App Server-To-Server Tokens are not supported for this endpoint

Copilot AI review requested due to automatic review settings June 24, 2026 23:03

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reverts #39071 ("Updating permissions for agentic workflows"). The original PR switched the gh-aw agentic workflows to authenticate against the Copilot API using github.token (server-to-server tokens, S2STOKENS: true) gated by a new copilot-requests: write permission, dropping the COPILOT_GITHUB_TOKEN secret and its validation step. That approach fails at runtime with 400 checking server-to-server token: bad request: GitHub App Server-To-Server Tokens are not supported for this endpoint, so this PR restores the previously-working COPILOT_GITHUB_TOKEN secret-based authentication.

The change is a git revert: each workflow .md source drops copilot-requests: write from its permissions: block, and each .lock.yml is recompiled to restore the secret reference, the Validate COPILOT_GITHUB_TOKEN secret step, the GH_AW_SECRET_VERIFICATION_RESULT plumbing, and remove S2STOKENS: true.

Changes:

  • Removes copilot-requests: write permission from 13 agentic-workflow .md sources.
  • Regenerates the 13 corresponding .lock.yml files (updated frontmatter hashes), restoring COPILOT_GITHUB_TOKEN secret usage, its validation step, and secret-redaction wiring, and removing S2STOKENS.
  • Scope matches the original PR exactly (26 files = 13 workflows × 2); verified no remaining copilot-requests, S2STOKENS, or COPILOT_GITHUB_TOKEN: ${{ github.token }} references repo-wide.
Show a summary per file
File Description
.github/workflows/agent-observability.md / .lock.yml Removes copilot-requests: write; lock restores COPILOT_GITHUB_TOKEN secret + validation, drops S2STOKENS.
.github/workflows/archie.md / .lock.yml Same revert applied to the Archie (API design) workflow.
.github/workflows/dash.md / .lock.yml Same revert applied to the Dash (performance) workflow.
.github/workflows/dexter.md / .lock.yml Same revert applied to the Dexter (dependency audit) workflow.
.github/workflows/docs-consistency-check.md / .lock.yml Same revert applied to the docs-consistency workflow.
.github/workflows/fix-test-failures.md / .lock.yml Same revert applied to the test-failure triage workflow.
.github/workflows/issue-triage.md / .lock.yml Same revert applied to the issue-triage workflow.
.github/workflows/mgmt-guidance.md / .lock.yml Same revert applied to the mgmt-guidance workflow.
.github/workflows/mgmt-review.md / .lock.yml Same revert; lock also shows incidental regeneration artifacts (continue-on-error: true on the checkout-PR step, trailing-newline change) that are byproducts of recompilation, not hand edits.
.github/workflows/scribe.md / .lock.yml Same revert applied to the Scribe (docs) workflow.
.github/workflows/sentinel.md / .lock.yml Same revert applied to the Sentinel (security) workflow.
.github/workflows/tester.md / .lock.yml Same revert applied to the Tester (test coverage) workflow.
.github/workflows/upgrade-agentic-workflows.md / .lock.yml Same revert applied to the upgrade-agentic-workflows workflow.

Copilot's findings

  • Files reviewed: 26/26 changed files
  • Comments generated: 0

@jeremymeng jeremymeng merged commit d17730f into main Jun 24, 2026
21 checks passed
@jeremymeng jeremymeng deleted the revert-39071-copilot/update-agentic-workflows-permission branch June 24, 2026 23:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants