[aw-compat] Downgrade strict missing-permission failures for default GitHub toolsets to warnings

[Copilot]

Daily cross-repo compatibility checks surfaced repeated failures where workflows using implicit/explicit default GitHub toolsets were blocked in strict mode by missing pull-requests: read. This change keeps strict enforcement for explicit non-default toolsets, but treats default-only cases as actionable warnings.

• Behavior change (strict mode permission validation)

  • Missing GitHub permissions remain errors in strict mode by default.
  • If tools.github resolves to default-only toolsets (implicit default or toolsets: [default]), missing permissions are now warnings instead of hard compile failures.

• User-facing warning clarity

  • Added an explicit warning suffix for downgraded cases:
    • “Some of the GitHub tools will not be available until the missing permissions are granted.”
  • Keeps compatibility while still making partial tool availability explicit.

• Scope guardrails

  • Downgrade is intentionally narrow:
    • ✅ implicit default toolsets (no toolsets configured)
    • ✅ explicit toolsets: [default]
    • ❌ any other strict-mode toolset configuration

• Targeted coverage

  • Added integration cases for strict mode to verify:
    • explicit default-only config warns (no hard failure)
    • implicit default config warns (no hard failure)

tools:
  github:
    toolsets: [default]   # or omit toolsets entirely (implicit default)
permissions:
  contents: read
  issues: read
# missing pull-requests: read now warns in strict mode for default-only cases

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw 6700769/b238/vetrev-parse ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/scripts/lint_error_messages_test.grev-parse /usr/bin/git ithub/workflows stmain.go /opt/hostedtoolc--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE tartedAt,updated--show-toplevel git rev-�� --show-toplevel go /usr/bin/git st-1525112561/.ggit GO111MODULE /opt/hostedtoolc--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw --short .cfg git rev-�� --show-toplevel rm /usr/bin/git /tmp/codeql.uYL6git on 1/x64/bin/node git (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE 6AWy9kr/rVG28oB_-buildtags env -json 1.5.0/internal/x-ifaceassert x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD erignore go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/architecture-guardian.md 64/pkg/tool/linu-test.v=true /usr/bin/infocmp ortcfg cu5AAtlhm 64/pkg/tool/linu--show-toplevel infocmp -1 xterm-color 64/pkg/tool/linurev-parse /usr/bin/git 1360723077/.githgit GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel x_amd64/link /usr/bin/git -json GO111MODULE 64/bin/go /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git --show-toplevel git de_modules/.bin/--show-toplevel /usr/bin/git conf�� --get-regexp ^remote\..*\.gh-resolved$ /usr/bin/git or.md git de_modules/.bin/--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv /tmp/TestGuardPolicyBlockedUsersApprovalLabelsCo-errorsas rev-parse /usr/bin/infocmp -json GO111MODULE x_amd64/compile infocmp -1 xterm-color x_amd64/compile /usr/bin/git -json GO111MODULE x_amd64/vet git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/pkg/cli s/12345/artifacts /usr/bin/git -json GO111MODULE 64/bin/go git conf�� --get remote.origin.url /usr/bin/git 1 GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv ts.result remote ache/node/24.14.1/x64/bin/node h ../../../.pretgit lt github toolserev-parse /usr/bin/git ache/node/24.14.1/x64/bin/node s-93�� ets.TOKEN }} git /usr/bin/git w/js/**/*.json' git git /usr/bin/git git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv t2782914497/.github/workflows SgUm/-evxfJf9jMJ1iP8YSgUm .cfg -n1 --format=format:api --end-of-options--paginate ache/go/1.25.8/xrepos/{owner}/{repo}/actions/runs/1/artifacts -o 01/main.md -trimpath ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet -p crypto/internal/rev-parse -lang=go1.25 ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 6301848/b201/_pkgit eFae/0ahu769BnKYrev-parse x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git g_.a ZTds/2vgHE4jOupBrev-parse .cfg git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git tructions-test-2git /tmp/go-build209rev-parse .cfg git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/link /usr/bin/git 6700769/b438/stagit -buildtags ache/node/24.14.--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git se 6700769/b002/vetrev-parse .cfg git rev-�� --show-toplevel ache/go/1.25.8/xREDACTED /usr/bin/git se 6700769/b253/vetrev-parse ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git -json GO111MODULE 1/x64/bin/node git rev-�� --show-toplevel go /usr/bin/git vaScript34846146git GO111MODULE 1/x64/bin/node git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git agentic-observabgit git m/_npx/b38865467HEAD git rev-�� --show-toplevel git /usr/bin/git --name-only HEAD k/_temp/uv-pytho--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -json gset/set.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv -c x_amd64/vet /usr/bin/git 01 GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /opt/hostedtoolcache/node/24.14.1/x64/bin/node AsxZxLib9 .cfg 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git -json GO111MODULE 64/bin/go git conf�� user.email [email protected] /usr/bin/gh -json GO111MODULE 64/bin/go gh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv remove myorg /usr/bin/git ub/workflows git d17a45f8 git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git 1/x64/bin/node git (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git 01 eF_9lmWUN x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /opt/hostedtoolcache/node/24.14.1/x64/bin/node PefC8rlji .cfg 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv add remote1 /usr/bin/git ub/workflows GO111MODULE 64/bin/go git init�� GOMODCACHE go /usr/bin/git ub/workflows GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /usr/bin/git git /usr/bin/git ub/workflows git n-dir/bash git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git ache/go/1.25.8/x--show-toplevel git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv sistency_GoAndJavaScript2039923569/001/test-frontmatter-with-env-template-expressions.md [email protected] /usr/bin/gh -json GO111MODULE x_amd64/asm gh work�� list --json /usr/bin/infocmp --repo owner/repo x_amd64/compile infocmp (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv runs/20260417-053724-69360/test-4264982392/custom/workflows GOPROXY /usr/lib/git-core/git GOSUMDB GOWORK 64/bin/go /usr/lib/git-core/git pack�� --all-progress-implied l /usr/bin/git --thin --delta-base-offrev-parse -q git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv runs/20260417-054925-75288/test-1907603133 HEAD kflows/test-no-expires.lock.yml ignore-path ../.git git /usr/bin/git git init�� --bare --initial-branch=develop /usr/bin/git user.name Test User /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv remove upstream /usr/bin/git 0229/001 GO111MODULE x_amd64/vet git rev-�� --show-toplevel x_amd64/vet /usr/bin/git IIAr-WTp5 GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv --get remote.origin.url /usr/bin/git b/workflows GO111MODULE 64/bin/go git rev-�� --show-toplevel go /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv remove origin /usr/bin/git /workflows git cal/bin/bash git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git de_modules/.bin/--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-add-gitattributes-test2782914497/.github/workflows remote ache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/asm git t-39�� sistency_WithImports2425125033/001/main.md remote /usr/bin/git 4225592591/001' 4225592591/001' x_amd64/compile git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv echo " Copy wasm_exec.js from: $(go env GOROOT)/lib/wasm/wasm_exec.js (or misc/wasm/ for Go <1.git GOPROXY /usr/lib/git-core/git-receive-pack GOSUMDB GOWORK 64/bin/go git-receive-pack /tmp�� :latest go ps -json GO111MODULE 64/bin/go ps (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv --noprofile git /usr/lib/git-core/git-upload-pack --show-toplevel /usr/bin/git /sh git-upload-pack /tmp�� /usr/bin/git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-add-gitattributes-test2782914497/.github/workflows rev-parse ache/node/24.14.1/x64/bin/node -json GO111MODULE x_amd64/asm git t-40�� bility_SameInputSameOutput356692457/001/stability-test.md rev-parse /usr/bin/git -json rk x_amd64/compile git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows GOPROXY ache/node/24.14.1/x64/bin/node GOSUMDB GOWORK 64/bin/go git t-37�� k/gh-aw/gh-aw/.github/workflows/ai-moderator.md my-default /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv runs/20260417-054925-75288/test-1953541570 git flows/test-expires.lock.yml --show-toplevel /usr/bin/git /usr/bin/gh git ls-r�� --symref origin /usr/bin/git status git /usr/bin/git git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE fips140 GOMODCACHE 64/pkg/tool/linux_amd64/vet env 2700958966 i2Jk/kxQktkbJrdZm0O72i2Jk x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 6301848/b242/_pkg_.a V7o_/18xeupG6XnJInX8DV7o_ 64/pkg/tool/linux_amd64/compile GOINSECURE t/internal/tag GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name LsRemoteWithRealGitbranch_with_hyphen3872318703/001' ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env ut4226070210/001 GO111MODULE 86_64/bash GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name om/modelcontextprotocol/[email protected]/internal/util/net.go 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/[email protected] env 6301848/b179/_pkg_.a rn9z/FXv0oohNOW0KmEF_rn9z .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/xremote.origin.url (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 6301848/b202/_pkg_.a QuTc/8J1aAAdvjhK6D-KwQuTc 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name GO111MODULE 1/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node GOINSECURE GOMOD GOMODCACHE go 1/x6�� y_with_explicit_repo815195653/001 GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 6301848/b173/_pkg_.a HJpH/bR5uMPu5Fr3Cy4PJHJpH x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env 1402823475 bYse/Agvt9vB4Z3tFs27lbYse x_amd64/compile GOINSECURE fips140/mlkem GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE n-dir/node GOINSECURE GOMOD GOMODCACHE go 1/x6�� -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 2700958966 GO111MODULE .cfg GOINSECURE g/x/text/transforev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-buildtags (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE hlite 6301848/b013/sym--git-dir 64/pkg/tool/linux_amd64/vet env 1831947235/.github/workflows _zAe/m6K4S-499xrKjIdi_zAe ache/go/1.25.8/x64/pkg/tool/linu-test.short=true GOINSECURE t/internal/strinrev-parse GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-importcfg (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE tions/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env mpiledOutput1980963112/001 GO111MODULE 1/x64/bin/bash GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linu-nolocalimports GOINSECURE fips140/sha3 GOMODCACHE 64/pkg/tool/linuTest User env 2700958966 Ldjv/q8rDzC5dO2KyVIFwLdjv 64/pkg/tool/linux_amd64/compile GOINSECURE g/x/crypto/chachrev-parse GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 om/modelcontextp-c=4 64/pkg/tool/linu-nolocalimports GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/tmp/go-build2096700769/b455/_testmain.go env 6301848/b233/_pkg_.a gNV_/-ERQMY_tDmUJytyNgNV_ .cfg GOINSECURE a95/uritemplate//tmp/js-hash-test-1199574882/test-hash.js GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 1/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh GOINSECURE GOMOD GOMODCACHE go env 8472/001/stability-test.md GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/sha512 GOMODCACHE 64/pkg/tool/[email protected] env 2700958966 ZDcH/WlCyhVRj9mWQyquJZDcH 64/pkg/tool/linux_amd64/link GOINSECURE g/x/text/unicoderev-parse GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1831947235/.github/workflows r73k/ZR15bOYtzO_sNGC5r73k 64/pkg/tool/linux_amd64/compile GOINSECURE /semver GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE tions/setup/js/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env ut4226070210/001 GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE fips140/sha256 GOMODCACHE 64/pkg/tool/linux_amd64/vet env 2700958966 t2Bi/LbyKJAzlPTfrrG8ct2Bi .cfg GOINSECURE nal/fips140tls GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 om/modelcontextprotocol/[email protected]/jsonrpc/js-ifaceassert 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 6301848/b234/_pkg_.a oYmy/n_pwg_VDfKQLamLkoYmy .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE tions/setup/node_modules/.bin/sh GOINSECURE GOMOD GOMODCACHE go env */*.ts' '**/*.json' --ignore-path ../../../.prettierignore GO111MODULE 64/bin/bash GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build2096700769/b414/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE CiLOt5gSqmaM env -json .go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 6301848/b011/ GOMODCACHE 64/pkg/tool/linux_amd64/vet env 6301848/b171/_pkg_.a .cfg x_amd64/link GOINSECURE 6301848/b011/asmrev-parse ache/go/1.25.8/x--show-toplevel x_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a 6700769/b014/vetrev-parse x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git sRemoteWithRealGls sRemoteWithRealG-lh ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel go /usr/bin/git 2973130353 GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /usr/bin/git efaultBranchFromls efaultBranchFrom-lh ache/go/1.25.8/x/tmp/gh-aw/aw-feature-branch.patch git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel bash /usr/bin/git 3874924669 git ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel git /usr/bin/git . -v k/gh-aw/gh-aw/no/tmp/gh-aw/aw-feature-branch.patch git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv tants.go ne_constants.go 64/pkg/tool/linux_amd64/vet GOINSECURE b/gh-aw/pkg/type/tmp/js-hash-test-1246638075/test-hash.js GOMODCACHE 64/pkg/tool/linux_amd64/vet estl�� se 6700769/b019/vet.cfg .cfg GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu--auto (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv 2974486966/.github/workflows GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env json ]; then \ cp .github/aw/actions-lock.json pkg/actionpins/data/action_pins.json; \ echo "�git GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv */*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path git 64/bin/bash --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git bash --no�� --noprofile git 64/pkg/tool/linux_amd64/vet nore gh /usr/bin/git 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE iE8t3kR/vbNrLVZ2rev-parse (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv run lint:cjs 64/bin/go GOSUMDB GOWORK 64/bin/go sh -c "prettier" --check 'scripts/**/*GOINSECURE npm 64/bin/go format:pkg-json --silent 64/bin/go go (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv go GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json at.go x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet 3401�� g_.a GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv -json GO111MODULE x_amd64/compile GOINSECURE mcpgodebug GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/vet GOINSECURE GOMOD GOMODCACHE x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv re GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv npx prettier --c-errorsas GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go sh _bra�� "prettier" --check 'scripts/**/*GOINSECURE node 64/bin/go run format:pkg-json 64/bin/go go (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 6301848/b138/_pkg_.a bft1/1yO0RzBmJIVi0dFibft1 x_amd64/compile GOINSECURE e/jsonschema-go/init GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 2974486966/.github/workflows GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go env o actions/setup-cli/install.sh..." GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 2963812548/.github/workflows git b7a6e85964ade809d17a45f8 --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git diff�� --name-only HEAD k/gh-aw/gh-aw/actions/node_modules/.bin/sh nore infocmp /usr/bin/git git (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD 6301848/b029/symuser.email 64/pkg/tool/[email protected] env 6301848/b225/_pkg_.a DUdE/2oEXO76xEThYfB4YDUdE ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet GOINSECURE ce GOMODCACHE ache/go/1.25.8/x--jq (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go tion�� -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE ache/go/1.25.8/x64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json age/common.go x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json o x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env ath ../../../.pr**/*.json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build2096700769/b400/cli.test /tmp/go-build2096700769/b400/cli.test -test.testlogfile=/tmp/go-build2096700769/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /tmp/go-build470371588/b400/cli.test /tmp/go-build470371588/b400/cli.test -test.testlogfile=/tmp/go-build470371588/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true --ignore-path ../../../.prettienv /usr/bin/git go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /tmp/go-build2024346238/b400/cli.test /tmp/go-build2024346238/b400/cli.test -test.testlogfile=/tmp/go-build2024346238/b400/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOINSECURE GOMOD GOMODCACHE go env ck 'scripts/**/*GOINSECURE GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json 6 x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD erignore go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Adjusts strict-mode permission validation so workflows using GitHub’s default-only toolsets don’t hard-fail compilation when pull-requests: read (or other required permissions) are missing, instead emitting an actionable warning.

Changes:

• Downgrades strict-mode missing-permission failures to warnings when tools.github is default-only (implicit default or toolsets: [default]).
• Appends a clearer warning suffix indicating partial GitHub tool availability until permissions are granted.
• Adds integration test coverage for strict-mode default-only configurations (explicit and implicit).

Show a summary per file

File	Description
pkg/workflow/compiler.go	Implements strict-mode downgrade-to-warning logic for default-only GitHub toolsets and adds a warning suffix.
pkg/workflow/permissions_warning_test.go	Adds integration test cases verifying strict-mode default-only toolset configs warn instead of failing.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 1

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 100/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	2
✅ Design tests (behavioral contracts)	2 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	2 (100%)
Duplicate test clusters	0
Test inflation detected	No (ratio 1.38:1)
🚨 Coding-guideline violations	None

---

Test Classification Details

Test	File	Classification	Issues Detected
"default toolset only in strict mode produces warning"	pkg/workflow/permissions_warning_test.go	✅ Design	None
"implied default toolset in strict mode produces warning"	pkg/workflow/permissions_warning_test.go	✅ Design	None

---

Analysis Notes

Both new test cases are added as rows in the existing table-driven TestPermissionsWarningInNonStrictMode function. They directly verify the behavioral contract introduced by this PR: when strict mode is enabled but only the default toolset (or an implied default via min-integrity: none) is configured, the compiler should emit a warning rather than a hard error.

Each case asserts:

• No compilation error is returned (expectError: false)
• A warning is emitted to stderr containing the expected message
• The warning includes "warning:", "Option 1: Add missing permissions", and "Option 2: Reduce the required toolsets" suggestions
• compiler.GetWarningCount() is non-zero

This exercises both the explicit toolset path (toolsets: [default]) and the implicit path (min-integrity: none with no explicit toolset), ensuring full coverage of the changed code paths in compiler.go.

Build tag: //go:build integration — correct for integration tests that invoke the real compiler.
Mocks: None — tests interact with the real Compiler component. ✅
Assertion messages: All t.Errorf / t.Error calls include descriptive context strings. ✅
Test inflation: 40 test lines added vs. 29 production lines = 1.38:1 ratio — well under the 2:1 threshold. ✅

---

Flagged Tests — Requires Review

None. No tests flagged.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 2 test cases — integration (//go:build integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). Both new test cases verify observable behavioral contracts and include edge-case coverage for the warning-vs-error boundary condition.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24568819722

🧪 Test quality analysis by Test Quality Sentinel · ● 482.9K · ◷

[github-actions]

✅ Test Quality Sentinel: 100/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). Both new table-driven cases verify the behavioral contract of the warning-vs-error downgrade for default GitHub toolsets.

[pelikhan]

@copilot review all comments

[Copilot]

@copilot review all comments

Reviewed and addressed the actionable review feedback. I made the warning constant internal (missingPermissionsDefaultToolsetWarning) to avoid expanding package API surface, with no behavior change. Commit: a907508.

[pelikhan]

@copilot rebuild wasm, run test

[Copilot]

@copilot rebuild wasm, run test

Done. I rebuilt wasm and ran wasm tests on this branch.

• make build-wasm ✅
• make test-wasm-golden ❌
• make test-wasm ❌

Current failures are golden mismatches (e.g. .crush vs .gemini in basic-copilot / with-imports). No files changed from these runs. Reference commit: a907508.

No UI changes in this request (CLI/test-only), so there is no screenshot to provide.