[plan] Add missing permission scopes to schema and fix unknown `all` scope handling

[github-actions]

Context

From schema consistency discussion #17876 (2026-02-23 run, finding 6).

Objective

Fix the permissions schema so that all scopes implemented in Go code are also present in the JSON schema, and handle the all scope key gracefully.

Issues to Fix

1. repository-projects and organization-projects missing from schema

• Files: pkg/workflow/permissions.go:39-42, pkg/parser/schemas/main_workflow_schema.json
• These two scopes are fully implemented (PermissionRepositoryProj, PermissionOrganizationProj) but absent from the schema which uses additionalProperties: false.
• Workflows using these scopes fail schema validation even though the runtime handles them correctly.
• Add both scopes (repository-projects, organization-projects) as valid enum values to the permissions schema.

2. all scope key has no handler in convertStringToPermissionScope

• File: pkg/workflow/permissions.go:28-47
• The schema allows an all key (for all: read style permissions) but convertStringToPermissionScope has no case "all": branch.
• Users who set permissions: all: write get a silent "Unknown permission scope key: all" log with no compilation error.
• Either add a case "all": handler or remove all from the schema if it is not a valid GitHub Actions permission key.

Files to Modify

• pkg/parser/schemas/main_workflow_schema.json
• pkg/workflow/permissions.go

Acceptance Criteria

• repository-projects and organization-projects are valid properties in the permissions schema
• Workflows using repository-projects or organization-projects pass schema validation
• The all scope is either handled in convertStringToPermissionScope or removed from the schema
• Run make agent-finish with no errors before committing
• Run make build after schema changes (schemas are embedded via //go:embed)

Generated by Plan Command for issue #discussion #17876

• expires on Feb 25, 2026, 12:04 PM UTC