Skip to content

Fix agentic triage workflow invalid id-token permission#11100

Merged
timotheeguerin merged 2 commits into
mainfrom
fix/agentic-workflow-id-token
Jun 29, 2026
Merged

Fix agentic triage workflow invalid id-token permission#11100
timotheeguerin merged 2 commits into
mainfrom
fix/agentic-workflow-id-token

Conversation

@timotheeguerin

@timotheeguerin timotheeguerin commented Jun 26, 2026

Copy link
Copy Markdown
Member

Problem

The agentic triage workflow fails to run with:

GitHub Actions / .github/workflows/issue-triage.lock.yml Invalid workflow file
(Line: 388, Col: 17): Unexpected value 'read'

This started after #10984 ("Enable org-billed Copilot auth") replaced permissions: read-all with the gh-aw shorthand:

permissions:
  all: read
  copilot-requests: write

The all: read shorthand expands to every permission set to read — including id-token: read, which GitHub Actions rejects (id-token only accepts write or none). Bumping the compiler version alone does not fix this; the all: read source is the culprit.

Fix

Following the pattern used in Azure/azure-sdk-for-js#39089:

  • issue-triage.md & bump-tcgc-csharp.md: replace all: read with explicit contents: read + issues: read (keeping copilot-requests: write).
  • check-agentic-workflows.yml: bump the pinned gh-aw from v0.79.8v0.80.9 so the drift check matches.
  • Recompiled with gh aw compile (v0.80.9), regenerating the .lock.yml files, agentics-maintenance.yml, and actions-lock.json.
  • .github/actionlint.yml: ignore the generated agentics-maintenance.yml — the v0.80.9 generator emits an empty workflow_dispatch choice option (- '') that actionlint flags as a syntax error. (Same generator output as the reference PR.)

Verification

  • id-token no longer appears in any generated workflow.
  • Both lock files parse as valid YAML.
  • actionlint passes locally with exit 0.
  • Agent job permissions are now contents: read, issues: read, copilot-requests: write.

Ref: Agentic workflows no longer need a PAT

@timotheeguerin
Fix agentic workflow invalid id-token permission
6db88fd 
The 'all: read' permission shorthand expands to 'id-token: read', which
GitHub Actions rejects (id-token only allows write/none). Replace with
explicit 'contents: read' + 'issues: read' and bump gh-aw to v0.80.9.
@timotheeguerin
Ignore actionlint syntax errors in generated agentics-maintenance.yml
f82c262
@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

No changes needing a change description found.

@azure-sdk-automation

azure-sdk-automation Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown

You can try these changes here

🛝 Playground 🌐 Website 🛝 VSCode Extension

@timotheeguerin timotheeguerin marked this pull request as ready for review June 26, 2026 13:32
@timotheeguerin timotheeguerin mentioned this pull request Jun 26, 2026
Closed
@timotheeguerin timotheeguerin added this pull request to the merge queue Jun 29, 2026
Merged via the queue into main with commit 93deb42 Jun 29, 2026
38 checks passed
@timotheeguerin timotheeguerin deleted the fix/agentic-workflow-id-token branch June 29, 2026 19:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xirzec xirzec xirzec approved these changes
@markcowl markcowl markcowl approved these changes
@bterlson bterlson Awaiting requested review from bterlson bterlson is a code owner
@witemple-msft witemple-msft Awaiting requested review from witemple-msft witemple-msft is a code owner
@iscai-msft iscai-msft Awaiting requested review from iscai-msft iscai-msft is a code owner
@catalinaperalta catalinaperalta Awaiting requested review from catalinaperalta catalinaperalta is a code owner

Assignees

No one assigned

Labels

eng

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@timotheeguerin @xirzec @markcowl