fix: permission validation only requires read permissions from toolsets

Copilot · pelikhan · Copilot · commit 20c1d2819f8a · 2026-03-01T15:40:43.000Z
Co-authored-by: pelikhan &lt;4175913+pelikhan@users.noreply.github.com&gt;
diff --git a/pkg/workflow/permissions_validation.go b/pkg/workflow/permissions_validation.go
@@ -193,20 +193,13 @@ func collectRequiredPermissions(toolsets []string, readOnly bool) map[Permission
 			continue
 		}
 
-		// Add read permissions
+		// Add read permissions only (write tools are not considered for permission requirements)
 		for _, scope := range perms.ReadPermissions {
 			// Always require at least read access
 			if existing, found := required[scope]; !found || existing == PermissionNone {
 				required[scope] = PermissionRead
 			}
 		}
-
-		// Add write permissions only if not in read-only mode
-		if !readOnly {
-			for _, scope := range perms.WritePermissions {
-				required[scope] = PermissionWrite
-			}
-		}
 	}
 
 	return required
diff --git a/pkg/workflow/permissions_validator_test.go b/pkg/workflow/permissions_validator_test.go
@@ -25,7 +25,7 @@ func TestCollectRequiredPermissions(t *testing.T) {
 			toolsets: []string{"repos"},
 			readOnly: false,
 			expected: map[PermissionScope]PermissionLevel{
-				PermissionContents: PermissionWrite,
+				PermissionContents: PermissionRead,
 			},
 		},
 		{
@@ -41,51 +41,51 @@ func TestCollectRequiredPermissions(t *testing.T) {
 			toolsets: []string{"issues"},
 			readOnly: false,
 			expected: map[PermissionScope]PermissionLevel{
-				PermissionIssues: PermissionWrite,
+				PermissionIssues: PermissionRead,
 			},
 		},
 		{
 			name:     "Multiple toolsets",
 			toolsets: []string{"repos", "issues", "pull_requests"},
 			readOnly: false,
 			expected: map[PermissionScope]PermissionLevel{
-				PermissionContents:     PermissionWrite,
-				PermissionIssues:       PermissionWrite,
-				PermissionPullRequests: PermissionWrite,
+				PermissionContents:     PermissionRead,
+				PermissionIssues:       PermissionRead,
+				PermissionPullRequests: PermissionRead,
 			},
 		},
 		{
 			name:     "Default toolsets in read-write mode",
 			toolsets: DefaultGitHubToolsets,
 			readOnly: false,
 			expected: map[PermissionScope]PermissionLevel{
-				PermissionContents:     PermissionWrite,
-				PermissionIssues:       PermissionWrite,
-				PermissionPullRequests: PermissionWrite,
+				PermissionContents:     PermissionRead,
+				PermissionIssues:       PermissionRead,
+				PermissionPullRequests: PermissionRead,
 			},
 		},
 		{
-			name:     "Actions toolset (read-write)",
+			name:     "Actions toolset",
 			toolsets: []string{"actions"},
 			readOnly: false,
 			expected: map[PermissionScope]PermissionLevel{
-				PermissionActions: PermissionWrite,
+				PermissionActions: PermissionRead,
 			},
 		},
 		{
 			name:     "Code security toolset",
 			toolsets: []string{"code_security"},
 			readOnly: false,
 			expected: map[PermissionScope]PermissionLevel{
-				PermissionSecurityEvents: PermissionWrite,
+				PermissionSecurityEvents: PermissionRead,
 			},
 		},
 		{
 			name:     "Discussions toolset",
 			toolsets: []string{"discussions"},
 			readOnly: false,
 			expected: map[PermissionScope]PermissionLevel{
-				PermissionDiscussions: PermissionWrite,
+				PermissionDiscussions: PermissionRead,
 			},
 		},
 		{
@@ -150,9 +150,9 @@ func TestValidatePermissions_MissingPermissions(t *testing.T) {
 		{
 			name: "Default toolsets with all required permissions",
 			permissions: NewPermissionsFromMap(map[PermissionScope]PermissionLevel{
-				PermissionContents:     PermissionWrite,
-				PermissionIssues:       PermissionWrite,
-				PermissionPullRequests: PermissionWrite,
+				PermissionContents:     PermissionRead,
+				PermissionIssues:       PermissionRead,
+				PermissionPullRequests: PermissionRead,
 			}),
 			githubToolConfig: &GitHubToolConfig{
 				Toolset:  GitHubToolsets{"default"},
@@ -162,17 +162,15 @@ func TestValidatePermissions_MissingPermissions(t *testing.T) {
 			expectHasIssues:    false,
 		},
 		{
-			name: "Default toolsets with only read permissions (missing write)",
+			name: "Default toolsets with no permissions (missing read)",
 			permissions: NewPermissionsFromMap(map[PermissionScope]PermissionLevel{
-				PermissionContents:     PermissionRead,
-				PermissionIssues:       PermissionRead,
-				PermissionPullRequests: PermissionRead,
+				PermissionContents: PermissionRead,
 			}),
 			githubToolConfig: &GitHubToolConfig{
 				Toolset:  GitHubToolsets{"default"},
-				ReadOnly: false, // Need write permissions
+				ReadOnly: false, // Only read permissions required
 			},
-			expectMissingCount: 3, // All need write
+			expectMissingCount: 2, // Missing issues: read, pull-requests: read
 			expectHasIssues:    true,
 		},
 		{
@@ -192,19 +190,19 @@ func TestValidatePermissions_MissingPermissions(t *testing.T) {
 		{
 			name: "Specific toolsets with partial permissions",
 			permissions: NewPermissionsFromMap(map[PermissionScope]PermissionLevel{
-				PermissionContents: PermissionWrite,
+				PermissionContents: PermissionRead,
 			}),
 			githubToolConfig: &GitHubToolConfig{
 				Toolset:  GitHubToolsets{"repos", "issues"},
 				ReadOnly: false,
 			},
-			expectMissingCount: 1, // Missing issues: write
+			expectMissingCount: 1, // Missing issues: read
 			expectHasIssues:    true,
 		},
 		{
-			name: "Actions toolset with write permission",
+			name: "Actions toolset with read permission",
 			permissions: NewPermissionsFromMap(map[PermissionScope]PermissionLevel{
-				PermissionActions: PermissionWrite,
+				PermissionActions: PermissionRead,
 			}),
 			githubToolConfig: &GitHubToolConfig{
 				Toolset: GitHubToolsets{"actions"},
@@ -350,12 +348,7 @@ func TestValidatePermissions_ComplexScenarios(t *testing.T) {
 				Toolset:  GitHubToolsets{"default"},
 				ReadOnly: false,
 			},
-			expectMsg: []string{
-				"Missing required permissions for GitHub toolsets:",
-				"contents: write",
-				"issues: write",
-				"pull-requests: write",
-			},
+			expectMsg: []string{}, // read-all satisfies the read-only permission requirements
 		},
 		{
 			name:        "All: read with discussions toolset",
@@ -364,10 +357,7 @@ func TestValidatePermissions_ComplexScenarios(t *testing.T) {
 				Toolset:  GitHubToolsets{"discussions"},
 				ReadOnly: false,
 			},
-			expectMsg: []string{
-				"Missing required permissions for GitHub toolsets:",
-				"discussions: write",
-			},
+			expectMsg: []string{}, // all:read satisfies discussions read requirement
 		},
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -193,20 +193,13 @@ func collectRequiredPermissions(toolsets []string, readOnly bool) map[Permission`
`193`	`193`	`continue`
`194`	`194`	`}`
`195`	`195`
`196`		`- // Add read permissions`
	`196`	`+ // Add read permissions only (write tools are not considered for permission requirements)`
`197`	`197`	`for _, scope := range perms.ReadPermissions {`
`198`	`198`	`// Always require at least read access`
`199`	`199`	`if existing, found := required[scope]; !found \|\| existing == PermissionNone {`
`200`	`200`	`required[scope] = PermissionRead`
`201`	`201`	`}`
`202`	`202`	`}`
`203`		`-`
`204`		`- // Add write permissions only if not in read-only mode`
`205`		`- if !readOnly {`
`206`		`- for _, scope := range perms.WritePermissions {`
`207`		`- required[scope] = PermissionWrite`
`208`		`- }`
`209`		`- }`
`210`	`203`	`}`
`211`	`204`
`212`	`205`	`return required`