Revert "Updating permissions for agentic workflows"#39073
Conversation
This reverts commit 33a4c7d.
There was a problem hiding this comment.
Pull request overview
This PR reverts #39071 ("Updating permissions for agentic workflows"). The original PR switched the gh-aw agentic workflows to authenticate against the Copilot API using github.token (server-to-server tokens, S2STOKENS: true) gated by a new copilot-requests: write permission, dropping the COPILOT_GITHUB_TOKEN secret and its validation step. That approach fails at runtime with 400 checking server-to-server token: bad request: GitHub App Server-To-Server Tokens are not supported for this endpoint, so this PR restores the previously-working COPILOT_GITHUB_TOKEN secret-based authentication.
The change is a git revert: each workflow .md source drops copilot-requests: write from its permissions: block, and each .lock.yml is recompiled to restore the secret reference, the Validate COPILOT_GITHUB_TOKEN secret step, the GH_AW_SECRET_VERIFICATION_RESULT plumbing, and remove S2STOKENS: true.
Changes:
- Removes
copilot-requests: writepermission from 13 agentic-workflow.mdsources. - Regenerates the 13 corresponding
.lock.ymlfiles (updated frontmatter hashes), restoringCOPILOT_GITHUB_TOKENsecret usage, its validation step, and secret-redaction wiring, and removingS2STOKENS. - Scope matches the original PR exactly (26 files = 13 workflows × 2); verified no remaining
copilot-requests,S2STOKENS, orCOPILOT_GITHUB_TOKEN: ${{ github.token }}references repo-wide.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/agent-observability.md / .lock.yml |
Removes copilot-requests: write; lock restores COPILOT_GITHUB_TOKEN secret + validation, drops S2STOKENS. |
.github/workflows/archie.md / .lock.yml |
Same revert applied to the Archie (API design) workflow. |
.github/workflows/dash.md / .lock.yml |
Same revert applied to the Dash (performance) workflow. |
.github/workflows/dexter.md / .lock.yml |
Same revert applied to the Dexter (dependency audit) workflow. |
.github/workflows/docs-consistency-check.md / .lock.yml |
Same revert applied to the docs-consistency workflow. |
.github/workflows/fix-test-failures.md / .lock.yml |
Same revert applied to the test-failure triage workflow. |
.github/workflows/issue-triage.md / .lock.yml |
Same revert applied to the issue-triage workflow. |
.github/workflows/mgmt-guidance.md / .lock.yml |
Same revert applied to the mgmt-guidance workflow. |
.github/workflows/mgmt-review.md / .lock.yml |
Same revert; lock also shows incidental regeneration artifacts (continue-on-error: true on the checkout-PR step, trailing-newline change) that are byproducts of recompilation, not hand edits. |
.github/workflows/scribe.md / .lock.yml |
Same revert applied to the Scribe (docs) workflow. |
.github/workflows/sentinel.md / .lock.yml |
Same revert applied to the Sentinel (security) workflow. |
.github/workflows/tester.md / .lock.yml |
Same revert applied to the Tester (test coverage) workflow. |
.github/workflows/upgrade-agentic-workflows.md / .lock.yml |
Same revert applied to the upgrade-agentic-workflows workflow. |
Copilot's findings
- Files reviewed: 26/26 changed files
- Comments generated: 0
Reverts #39071
same error as last time
400 400 checking server-to-server token: bad request: GitHub App Server-To-Server Tokens are not supported for this endpoint