Conformance Check Failure
Check ID: IMP-002
Severity: HIGH
Category: Implementation
Problem Description
The safe outputs permission computation implementation file pkg/workflow/safe_outputs_permissions.go is missing from the repository. This file is required to define the ComputePermissionsForSafeOutputs function, which dynamically computes the minimum required GitHub token permissions based on which safe output types are configured in a workflow.
Without this file, the permission computation logic is absent, which could cause workflows to use overly broad permissions or fail to correctly validate required permissions at generation time.
Affected Components
- Missing file:
pkg/workflow/safe_outputs_permissions.go
- Existing test file:
pkg/workflow/safe_outputs_permissions_test.go (tests exist but no implementation)
- Conformance checker:
scripts/check-safe-outputs-conformance.sh (IMP-002 check)
Current Behavior
The file pkg/workflow/safe_outputs_permissions.go does not exist. The conformance checker checks for this file and the presence of ComputePermissionsForSafeOutputs within it.
Expected Behavior
Per the Safe Outputs specification, permission computation must:
- Accept a
*SafeOutputsConfig and return the minimum required map[PermissionScope]PermissionLevel
- Return an empty map when config is
nil
- Grant
contents: read and issues: write for any issue-related output types
- Grant
discussions: write for discussion-related output types
- Grant
pull-requests: write for pull request output types
The existing test file (pkg/workflow/safe_outputs_permissions_test.go) defines the full expected behavior via TestComputePermissionsForSafeOutputs test cases.
Remediation Steps
This task can be assigned to a Copilot coding agent with the following steps:
- Create
pkg/workflow/safe_outputs_permissions.go in the workflow package
- Implement
ComputePermissionsForSafeOutputs(safeOutputs *SafeOutputsConfig) map[PermissionScope]PermissionLevel that:
- Returns an empty map if
safeOutputs == nil
- Adds
PermissionContents: PermissionRead as a baseline when any output is configured
- Adds
PermissionIssues: PermissionWrite for CreateIssues, UpdateIssues, CloseIssues, CreateComments, etc.
- Adds
PermissionDiscussions: PermissionWrite for CreateDiscussions, CloseDiscussions
- Adds
PermissionPullRequests: PermissionWrite for pull-request related outputs
- Run existing tests to verify:
go test ./pkg/workflow/... -run TestComputePermissionsForSafeOutputs
- Run the conformance checker to confirm IMP-002 passes
Verification
After remediation, verify the fix by running:
bash scripts/check-safe-outputs-conformance.sh
The check IMP-002 should pass with: [PASS] IMP-002: Permission computation function exists
Also run the existing unit tests:
go test ./pkg/workflow/... -run TestComputePermissionsForSafeOutputs -v
References
- Safe Outputs Specification:
docs/src/content/docs/reference/safe-outputs-specification.md
- Conformance Checker:
scripts/check-safe-outputs-conformance.sh
- Existing test file:
pkg/workflow/safe_outputs_permissions_test.go
- Run ID: §22865094490
- Date: 2026-03-09
Generated by Daily Safe Outputs Conformance Checker · ◷
Conformance Check Failure
Check ID: IMP-002
Severity: HIGH
Category: Implementation
Problem Description
The safe outputs permission computation implementation file
pkg/workflow/safe_outputs_permissions.gois missing from the repository. This file is required to define theComputePermissionsForSafeOutputsfunction, which dynamically computes the minimum required GitHub token permissions based on which safe output types are configured in a workflow.Without this file, the permission computation logic is absent, which could cause workflows to use overly broad permissions or fail to correctly validate required permissions at generation time.
Affected Components
pkg/workflow/safe_outputs_permissions.gopkg/workflow/safe_outputs_permissions_test.go(tests exist but no implementation)scripts/check-safe-outputs-conformance.sh(IMP-002 check)Current Behavior
The file
pkg/workflow/safe_outputs_permissions.godoes not exist. The conformance checker checks for this file and the presence ofComputePermissionsForSafeOutputswithin it.Expected Behavior
Per the Safe Outputs specification, permission computation must:
*SafeOutputsConfigand return the minimum requiredmap[PermissionScope]PermissionLevelnilcontents: readandissues: writefor any issue-related output typesdiscussions: writefor discussion-related output typespull-requests: writefor pull request output typesThe existing test file (
pkg/workflow/safe_outputs_permissions_test.go) defines the full expected behavior viaTestComputePermissionsForSafeOutputstest cases.Remediation Steps
This task can be assigned to a Copilot coding agent with the following steps:
pkg/workflow/safe_outputs_permissions.goin theworkflowpackageComputePermissionsForSafeOutputs(safeOutputs *SafeOutputsConfig) map[PermissionScope]PermissionLevelthat:safeOutputs == nilPermissionContents: PermissionReadas a baseline when any output is configuredPermissionIssues: PermissionWriteforCreateIssues,UpdateIssues,CloseIssues,CreateComments, etc.PermissionDiscussions: PermissionWriteforCreateDiscussions,CloseDiscussionsPermissionPullRequests: PermissionWritefor pull-request related outputsgo test ./pkg/workflow/... -run TestComputePermissionsForSafeOutputsVerification
After remediation, verify the fix by running:
The check
IMP-002should pass with:[PASS] IMP-002: Permission computation function existsAlso run the existing unit tests:
go test ./pkg/workflow/... -run TestComputePermissionsForSafeOutputs -vReferences
docs/src/content/docs/reference/safe-outputs-specification.mdscripts/check-safe-outputs-conformance.shpkg/workflow/safe_outputs_permissions_test.go