gh aw compile does not add pull-requests: write to safe_outputs job when add-comment is configured

[ViktorHofer]

Bug

When a workflow defines safe-outputs: add-comment, gh aw compile generates the safe_outputs job with issues: write but not pull-requests: write. This causes the safe-output to fail with:

Resource not accessible by integration

when the agent tries to post a comment on a pull request.

Repro

Workflow frontmatter:

permissions:
  contents: read
  actions: read
  issues: read
  pull-requests: read

safe-outputs:
  add-comment:
    max: 3

Compiled lock file safe_outputs job permissions:

safe_outputs:
    permissions:
      contents: read
      discussions: write
      issues: write
      # pull-requests: write  <-- MISSING

Expected

The compiler should add pull-requests: write to the safe_outputs job since add-comment can target both issues and pull requests.

Workaround

Manually edit the lock file to add pull-requests: write to the safe_outputs job permissions after compiling.

Example failure

https://github.com/ViktorHofer/msbuild-s1/actions/runs/22392168067 (safe_outputs job, "Process Safe Outputs" step)

[pelikhan]

Add support to disable target types in safe output add-comment.

safe_outputs:
issues: false
pull-requests: false
discussions: false # already exists

Each field controls the emission of the permission field and the ability to target those entities.

Default is issues: true, pull-requests: true, discussions: false

[ViktorHofer]

@pelikhan you are fast! 👍 How often do you release a gh aw update?

[pelikhan]

As we are still in tech preview, multiple times a day.

[pelikhan]

copilot cli releases 2x per day