From ed838f4f5599879aa77c2afe5dc5bff23a4cd4ba Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 21 Mar 2026 15:31:08 +0000 Subject: [PATCH 1/3] Initial plan From d6fda79a0a512dbac82beca720ae18b60af21793 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 21 Mar 2026 15:59:22 +0000 Subject: [PATCH 2/3] Add dependabot-alerts GitHub App permission for dependabot toolset MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds support for the `dependabot-alerts` GitHub App permission, which is required to access Dependabot alerts via GitHub MCP when using a GitHub App token. Previously, the dependabot toolset only declared `security-events` (a GITHUB_TOKEN scope) but not the App-specific `dependabot-alerts` permission, causing 403 errors on /repos/{owner}/{repo}/dependabot/alerts. Changes: - Add PermissionDependabotAlerts as a GitHub App-only scope - Add dependabot-alerts to dependabot toolset read_permissions in JSON - Map dependabot-alerts → permission-dependabot-alerts in App token narrowing - Add dependabot-alerts to frontmatter types and schema - Add tests validating the new permission is emitted in App token minting Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/012903fa-2e5f-489e-8f5a-991cf42815f2 --- pkg/parser/schema_errors.go | 2 +- pkg/parser/schemas/main_workflow_schema.json | 5 ++ .../data/github_toolsets_permissions.json | 2 +- pkg/workflow/frontmatter_types.go | 6 +++ .../github_app_permissions_validation_test.go | 13 +++++ pkg/workflow/github_mcp_app_token_test.go | 47 +++++++++++++++++++ pkg/workflow/permissions.go | 4 ++ pkg/workflow/permissions_validator_test.go | 9 ++++ pkg/workflow/safe_outputs_app_config.go | 3 ++ 9 files changed, 89 insertions(+), 2 deletions(-) diff --git a/pkg/parser/schema_errors.go b/pkg/parser/schema_errors.go index 00852ef75a8..9d64d559129 100644 --- a/pkg/parser/schema_errors.go +++ b/pkg/parser/schema_errors.go @@ -214,7 +214,7 @@ func findFrontmatterBounds(lines []string) (startIdx int, endIdx int, frontmatte var knownFieldValidValues = map[string]string{ // This list mirrors permissions.oneOf[1].properties in main_workflow_schema.json. // Update both when the schema changes. - "/permissions": "Valid permission scopes: actions, all, attestations, checks, contents, deployments, discussions, id-token, issues, metadata, models, organization-projects, packages, pages, pull-requests, repository-projects, security-events, statuses", + "/permissions": "Valid permission scopes: actions, all, attestations, checks, contents, dependabot-alerts, deployments, discussions, id-token, issues, metadata, models, organization-projects, packages, pages, pull-requests, repository-projects, security-events, statuses", } // appendKnownFieldValidValuesHint appends a "Valid values: …" hint to message when the diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index 30e749183fa..4ea9177c2ab 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -1861,6 +1861,11 @@ "enum": ["read", "write", "none"], "description": "Permission level for commit statuses (read/write/none). Controls access to create and update commit status checks." }, + "dependabot-alerts": { + "type": "string", + "enum": ["read", "none"], + "description": "Permission level for Dependabot alerts (read/none). GitHub App-only permission: controls access to view Dependabot vulnerability alerts. Requires a GitHub App token — the GITHUB_TOKEN does not have this permission." + }, "all": { "type": "string", "enum": ["read"], diff --git a/pkg/workflow/data/github_toolsets_permissions.json b/pkg/workflow/data/github_toolsets_permissions.json index 9ddfe925f18..5814dcaf048 100644 --- a/pkg/workflow/data/github_toolsets_permissions.json +++ b/pkg/workflow/data/github_toolsets_permissions.json @@ -22,7 +22,7 @@ }, "dependabot": { "description": "Dependabot alerts", - "read_permissions": ["security-events"], + "read_permissions": ["security-events", "dependabot-alerts"], "write_permissions": [], "tools": ["get_dependabot_alert", "list_dependabot_alerts"] }, diff --git a/pkg/workflow/frontmatter_types.go b/pkg/workflow/frontmatter_types.go index d0b75821acb..2c61b358b22 100644 --- a/pkg/workflow/frontmatter_types.go +++ b/pkg/workflow/frontmatter_types.go @@ -80,6 +80,7 @@ type GitHubAppPermissionsConfig struct { OrganizationCodespaces string `json:"organization-codespaces,omitempty"` // Repository-level permissions Administration string `json:"administration,omitempty"` + DependabotAlerts string `json:"dependabot-alerts,omitempty"` Environments string `json:"environments,omitempty"` GitSigning string `json:"git-signing,omitempty"` VulnerabilityAlerts string `json:"vulnerability-alerts,omitempty"` @@ -439,6 +440,8 @@ func parsePermissionsConfig(permissions map[string]any) (*PermissionsConfig, err // GitHub App-only permission scopes case "administration": config.Administration = levelStr + case "dependabot-alerts": + config.DependabotAlerts = levelStr case "environments": config.Environments = levelStr case "git-signing": @@ -926,6 +929,9 @@ func permissionsConfigToMap(config *PermissionsConfig) map[string]any { if config.Administration != "" { result["administration"] = config.Administration } + if config.DependabotAlerts != "" { + result["dependabot-alerts"] = config.DependabotAlerts + } if config.Environments != "" { result["environments"] = config.Environments } diff --git a/pkg/workflow/github_app_permissions_validation_test.go b/pkg/workflow/github_app_permissions_validation_test.go index 017b0a994cc..49ab085d085 100644 --- a/pkg/workflow/github_app_permissions_validation_test.go +++ b/pkg/workflow/github_app_permissions_validation_test.go @@ -232,6 +232,7 @@ func TestIsGitHubAppOnlyScope(t *testing.T) { {PermissionOrganizationProj, true}, // GitHub App-only scopes - should return true {PermissionAdministration, true}, + {PermissionDependabotAlerts, true}, {PermissionMembers, true}, {PermissionOrganizationAdministration, true}, {PermissionEnvironments, true}, @@ -268,6 +269,7 @@ func TestGetAllGitHubAppOnlyScopes(t *testing.T) { // Verify some key scopes are included keyScopes := []PermissionScope{ PermissionAdministration, + PermissionDependabotAlerts, PermissionMembers, PermissionOrganizationAdministration, PermissionEnvironments, @@ -437,6 +439,17 @@ func TestConvertPermissionsToAppTokenFields_GitHubAppOnly(t *testing.T) { "permission-vulnerability-alerts": "read", }, }, + { + name: "dependabot-alerts maps to permission-dependabot-alerts", + permissions: func() *Permissions { + p := NewPermissions() + p.Set(PermissionDependabotAlerts, PermissionRead) + return p + }(), + expectedFields: map[string]string{ + "permission-dependabot-alerts": "read", + }, + }, { name: "models permission is NOT mapped (no GitHub App equivalent)", permissions: func() *Permissions { diff --git a/pkg/workflow/github_mcp_app_token_test.go b/pkg/workflow/github_mcp_app_token_test.go index 146d3909d7b..80d72a78494 100644 --- a/pkg/workflow/github_mcp_app_token_test.go +++ b/pkg/workflow/github_mcp_app_token_test.go @@ -309,3 +309,50 @@ Test that determine-automatic-lockdown is generated even when app is configured. assert.Contains(t, lockContent, "id: github-mcp-app-token", "GitHub App token step should still be generated") assert.Contains(t, lockContent, "GITHUB_MCP_SERVER_TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}", "App token should be used for MCP server") } + +// TestGitHubMCPAppTokenWithDependabotToolset tests that permission-dependabot-alerts is included +// when the dependabot toolset is configured with a GitHub App. +func TestGitHubMCPAppTokenWithDependabotToolset(t *testing.T) { + compiler := NewCompilerWithVersion("1.0.0") + + markdown := `--- +on: issues +permissions: + contents: read + security-events: read + dependabot-alerts: read +strict: false +tools: + github: + mode: local + toolsets: [dependabot] + github-app: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} +--- + +# Test Workflow + +Test that permission-dependabot-alerts is emitted in the App token minting step. +` + + tmpDir := t.TempDir() + testFile := filepath.Join(tmpDir, "test.md") + err := os.WriteFile(testFile, []byte(markdown), 0644) + require.NoError(t, err, "Failed to write test file") + + err = compiler.CompileWorkflow(testFile) + require.NoError(t, err, "Failed to compile workflow") + + lockFile := strings.TrimSuffix(testFile, ".md") + ".lock.yml" + content, err := os.ReadFile(lockFile) + require.NoError(t, err, "Failed to read lock file") + lockContent := string(content) + + // Verify the dependabot-alerts permission is passed to the App token minting step + assert.Contains(t, lockContent, "permission-dependabot-alerts: read", "Should include dependabot-alerts read permission in App token") + // Verify that security-events is also still passed through + assert.Contains(t, lockContent, "permission-security-events: read", "Should also include security-events read permission in App token") + // Verify the token minting step is present + assert.Contains(t, lockContent, "id: github-mcp-app-token", "GitHub App token step should be generated") +} diff --git a/pkg/workflow/permissions.go b/pkg/workflow/permissions.go index baa36c363d5..b9b879cce8f 100644 --- a/pkg/workflow/permissions.go +++ b/pkg/workflow/permissions.go @@ -53,6 +53,8 @@ func convertStringToPermissionScope(key string) PermissionScope { return PermissionOrganizationProj case "administration": return PermissionAdministration + case "dependabot-alerts": + return PermissionDependabotAlerts case "members": return PermissionMembers case "organization-administration": @@ -162,6 +164,7 @@ const ( // Repository-level GitHub App permissions PermissionAdministration PermissionScope = "administration" + PermissionDependabotAlerts PermissionScope = "dependabot-alerts" PermissionEnvironments PermissionScope = "environments" PermissionGitSigning PermissionScope = "git-signing" PermissionVulnerabilityAlerts PermissionScope = "vulnerability-alerts" @@ -228,6 +231,7 @@ func GetAllGitHubAppOnlyScopes() []PermissionScope { return []PermissionScope{ // Repository-level GitHub App permissions PermissionAdministration, + PermissionDependabotAlerts, PermissionEnvironments, PermissionGitSigning, PermissionVulnerabilityAlerts, diff --git a/pkg/workflow/permissions_validator_test.go b/pkg/workflow/permissions_validator_test.go index 609c7a0a8ab..d90f484afb5 100644 --- a/pkg/workflow/permissions_validator_test.go +++ b/pkg/workflow/permissions_validator_test.go @@ -88,6 +88,15 @@ func TestCollectRequiredPermissions(t *testing.T) { PermissionDiscussions: PermissionRead, }, }, + { + name: "Dependabot toolset requires dependabot-alerts and security-events", + toolsets: []string{"dependabot"}, + readOnly: false, + expected: map[PermissionScope]PermissionLevel{ + PermissionSecurityEvents: PermissionRead, + PermissionDependabotAlerts: PermissionRead, + }, + }, { name: "Projects toolset (requires PAT - no permissions)", toolsets: []string{"projects"}, diff --git a/pkg/workflow/safe_outputs_app_config.go b/pkg/workflow/safe_outputs_app_config.go index 92b7bbddf7f..3d762dafe79 100644 --- a/pkg/workflow/safe_outputs_app_config.go +++ b/pkg/workflow/safe_outputs_app_config.go @@ -255,6 +255,9 @@ func convertPermissionsToAppTokenFields(permissions *Permissions) map[string]str if level, ok := permissions.GetExplicit(PermissionAdministration); ok { fields["permission-administration"] = string(level) } + if level, ok := permissions.GetExplicit(PermissionDependabotAlerts); ok { + fields["permission-dependabot-alerts"] = string(level) + } if level, ok := permissions.GetExplicit(PermissionEnvironments); ok { fields["permission-environments"] = string(level) } From f775a0cca08c422f0a532f385d2836612384e658 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 21 Mar 2026 16:16:16 +0000 Subject: [PATCH 3/3] Fix: use correct GitHub App permission vulnerability-alerts for Dependabot Per the GitHub REST API docs (POST /app/installations/{id}/access_tokens), the permission that grants access to Dependabot alerts is vulnerability_alerts (maps to permission-vulnerability-alerts in actions/create-github-app-token), NOT the non-existent dependabot-alerts permission introduced in the prior commit. Changes: - Revert the fake PermissionDependabotAlerts scope and all its wiring - Update dependabot toolset read_permissions to use vulnerability-alerts alongside security-events (vulnerability-alerts is the GitHub App-only permission that controls access to /repos/{owner}/{repo}/dependabot/alerts) - Add vulnerability-alerts to the frontmatter schema so users can declare it - Update hint text and tests to use the correct permission name Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> Agent-Logs-Url: https://github.com/github/gh-aw/sessions/335b886b-1e47-44ae-8018-26bcde5b78c5 --- pkg/parser/schema_errors.go | 2 +- pkg/parser/schemas/main_workflow_schema.json | 6 +++--- pkg/workflow/data/github_toolsets_permissions.json | 2 +- pkg/workflow/frontmatter_types.go | 6 ------ .../github_app_permissions_validation_test.go | 13 ------------- pkg/workflow/github_mcp_app_token_test.go | 14 +++++++++----- pkg/workflow/permissions.go | 4 ---- pkg/workflow/permissions_validator_test.go | 6 +++--- pkg/workflow/safe_outputs_app_config.go | 3 --- 9 files changed, 17 insertions(+), 39 deletions(-) diff --git a/pkg/parser/schema_errors.go b/pkg/parser/schema_errors.go index 9d64d559129..1e2fc3cefaa 100644 --- a/pkg/parser/schema_errors.go +++ b/pkg/parser/schema_errors.go @@ -214,7 +214,7 @@ func findFrontmatterBounds(lines []string) (startIdx int, endIdx int, frontmatte var knownFieldValidValues = map[string]string{ // This list mirrors permissions.oneOf[1].properties in main_workflow_schema.json. // Update both when the schema changes. - "/permissions": "Valid permission scopes: actions, all, attestations, checks, contents, dependabot-alerts, deployments, discussions, id-token, issues, metadata, models, organization-projects, packages, pages, pull-requests, repository-projects, security-events, statuses", + "/permissions": "Valid permission scopes: actions, all, attestations, checks, contents, deployments, discussions, id-token, issues, metadata, models, organization-projects, packages, pages, pull-requests, repository-projects, security-events, statuses, vulnerability-alerts", } // appendKnownFieldValidValuesHint appends a "Valid values: …" hint to message when the diff --git a/pkg/parser/schemas/main_workflow_schema.json b/pkg/parser/schemas/main_workflow_schema.json index 4ea9177c2ab..fa055a3b959 100644 --- a/pkg/parser/schemas/main_workflow_schema.json +++ b/pkg/parser/schemas/main_workflow_schema.json @@ -1861,10 +1861,10 @@ "enum": ["read", "write", "none"], "description": "Permission level for commit statuses (read/write/none). Controls access to create and update commit status checks." }, - "dependabot-alerts": { + "vulnerability-alerts": { "type": "string", - "enum": ["read", "none"], - "description": "Permission level for Dependabot alerts (read/none). GitHub App-only permission: controls access to view Dependabot vulnerability alerts. Requires a GitHub App token — the GITHUB_TOKEN does not have this permission." + "enum": ["read", "write", "none"], + "description": "Permission level for Dependabot vulnerability alerts (read/write/none). GitHub App-only permission: required to access Dependabot alerts via the GitHub MCP server. The GITHUB_TOKEN does not have this permission — a GitHub App must be configured." }, "all": { "type": "string", diff --git a/pkg/workflow/data/github_toolsets_permissions.json b/pkg/workflow/data/github_toolsets_permissions.json index 5814dcaf048..cf745dd7beb 100644 --- a/pkg/workflow/data/github_toolsets_permissions.json +++ b/pkg/workflow/data/github_toolsets_permissions.json @@ -22,7 +22,7 @@ }, "dependabot": { "description": "Dependabot alerts", - "read_permissions": ["security-events", "dependabot-alerts"], + "read_permissions": ["security-events", "vulnerability-alerts"], "write_permissions": [], "tools": ["get_dependabot_alert", "list_dependabot_alerts"] }, diff --git a/pkg/workflow/frontmatter_types.go b/pkg/workflow/frontmatter_types.go index 2c61b358b22..d0b75821acb 100644 --- a/pkg/workflow/frontmatter_types.go +++ b/pkg/workflow/frontmatter_types.go @@ -80,7 +80,6 @@ type GitHubAppPermissionsConfig struct { OrganizationCodespaces string `json:"organization-codespaces,omitempty"` // Repository-level permissions Administration string `json:"administration,omitempty"` - DependabotAlerts string `json:"dependabot-alerts,omitempty"` Environments string `json:"environments,omitempty"` GitSigning string `json:"git-signing,omitempty"` VulnerabilityAlerts string `json:"vulnerability-alerts,omitempty"` @@ -440,8 +439,6 @@ func parsePermissionsConfig(permissions map[string]any) (*PermissionsConfig, err // GitHub App-only permission scopes case "administration": config.Administration = levelStr - case "dependabot-alerts": - config.DependabotAlerts = levelStr case "environments": config.Environments = levelStr case "git-signing": @@ -929,9 +926,6 @@ func permissionsConfigToMap(config *PermissionsConfig) map[string]any { if config.Administration != "" { result["administration"] = config.Administration } - if config.DependabotAlerts != "" { - result["dependabot-alerts"] = config.DependabotAlerts - } if config.Environments != "" { result["environments"] = config.Environments } diff --git a/pkg/workflow/github_app_permissions_validation_test.go b/pkg/workflow/github_app_permissions_validation_test.go index 49ab085d085..017b0a994cc 100644 --- a/pkg/workflow/github_app_permissions_validation_test.go +++ b/pkg/workflow/github_app_permissions_validation_test.go @@ -232,7 +232,6 @@ func TestIsGitHubAppOnlyScope(t *testing.T) { {PermissionOrganizationProj, true}, // GitHub App-only scopes - should return true {PermissionAdministration, true}, - {PermissionDependabotAlerts, true}, {PermissionMembers, true}, {PermissionOrganizationAdministration, true}, {PermissionEnvironments, true}, @@ -269,7 +268,6 @@ func TestGetAllGitHubAppOnlyScopes(t *testing.T) { // Verify some key scopes are included keyScopes := []PermissionScope{ PermissionAdministration, - PermissionDependabotAlerts, PermissionMembers, PermissionOrganizationAdministration, PermissionEnvironments, @@ -439,17 +437,6 @@ func TestConvertPermissionsToAppTokenFields_GitHubAppOnly(t *testing.T) { "permission-vulnerability-alerts": "read", }, }, - { - name: "dependabot-alerts maps to permission-dependabot-alerts", - permissions: func() *Permissions { - p := NewPermissions() - p.Set(PermissionDependabotAlerts, PermissionRead) - return p - }(), - expectedFields: map[string]string{ - "permission-dependabot-alerts": "read", - }, - }, { name: "models permission is NOT mapped (no GitHub App equivalent)", permissions: func() *Permissions { diff --git a/pkg/workflow/github_mcp_app_token_test.go b/pkg/workflow/github_mcp_app_token_test.go index 80d72a78494..a2dc2719921 100644 --- a/pkg/workflow/github_mcp_app_token_test.go +++ b/pkg/workflow/github_mcp_app_token_test.go @@ -310,8 +310,11 @@ Test that determine-automatic-lockdown is generated even when app is configured. assert.Contains(t, lockContent, "GITHUB_MCP_SERVER_TOKEN: ${{ steps.github-mcp-app-token.outputs.token }}", "App token should be used for MCP server") } -// TestGitHubMCPAppTokenWithDependabotToolset tests that permission-dependabot-alerts is included +// TestGitHubMCPAppTokenWithDependabotToolset tests that permission-vulnerability-alerts is included // when the dependabot toolset is configured with a GitHub App. +// The correct GitHub App permission for Dependabot alerts is "vulnerability_alerts" +// (see https://docs.github.com/en/rest/apps/apps#create-an-installation-access-token-for-an-app), +// which maps to "permission-vulnerability-alerts" in actions/create-github-app-token. func TestGitHubMCPAppTokenWithDependabotToolset(t *testing.T) { compiler := NewCompilerWithVersion("1.0.0") @@ -320,7 +323,7 @@ on: issues permissions: contents: read security-events: read - dependabot-alerts: read + vulnerability-alerts: read strict: false tools: github: @@ -333,7 +336,7 @@ tools: # Test Workflow -Test that permission-dependabot-alerts is emitted in the App token minting step. +Test that permission-vulnerability-alerts is emitted in the App token minting step. ` tmpDir := t.TempDir() @@ -349,8 +352,9 @@ Test that permission-dependabot-alerts is emitted in the App token minting step. require.NoError(t, err, "Failed to read lock file") lockContent := string(content) - // Verify the dependabot-alerts permission is passed to the App token minting step - assert.Contains(t, lockContent, "permission-dependabot-alerts: read", "Should include dependabot-alerts read permission in App token") + // Verify the vulnerability-alerts permission is passed to the App token minting step + // This is the correct GitHub App permission name for Dependabot alerts + assert.Contains(t, lockContent, "permission-vulnerability-alerts: read", "Should include vulnerability-alerts read permission in App token") // Verify that security-events is also still passed through assert.Contains(t, lockContent, "permission-security-events: read", "Should also include security-events read permission in App token") // Verify the token minting step is present diff --git a/pkg/workflow/permissions.go b/pkg/workflow/permissions.go index b9b879cce8f..baa36c363d5 100644 --- a/pkg/workflow/permissions.go +++ b/pkg/workflow/permissions.go @@ -53,8 +53,6 @@ func convertStringToPermissionScope(key string) PermissionScope { return PermissionOrganizationProj case "administration": return PermissionAdministration - case "dependabot-alerts": - return PermissionDependabotAlerts case "members": return PermissionMembers case "organization-administration": @@ -164,7 +162,6 @@ const ( // Repository-level GitHub App permissions PermissionAdministration PermissionScope = "administration" - PermissionDependabotAlerts PermissionScope = "dependabot-alerts" PermissionEnvironments PermissionScope = "environments" PermissionGitSigning PermissionScope = "git-signing" PermissionVulnerabilityAlerts PermissionScope = "vulnerability-alerts" @@ -231,7 +228,6 @@ func GetAllGitHubAppOnlyScopes() []PermissionScope { return []PermissionScope{ // Repository-level GitHub App permissions PermissionAdministration, - PermissionDependabotAlerts, PermissionEnvironments, PermissionGitSigning, PermissionVulnerabilityAlerts, diff --git a/pkg/workflow/permissions_validator_test.go b/pkg/workflow/permissions_validator_test.go index d90f484afb5..b871783e322 100644 --- a/pkg/workflow/permissions_validator_test.go +++ b/pkg/workflow/permissions_validator_test.go @@ -89,12 +89,12 @@ func TestCollectRequiredPermissions(t *testing.T) { }, }, { - name: "Dependabot toolset requires dependabot-alerts and security-events", + name: "Dependabot toolset requires vulnerability-alerts and security-events", toolsets: []string{"dependabot"}, readOnly: false, expected: map[PermissionScope]PermissionLevel{ - PermissionSecurityEvents: PermissionRead, - PermissionDependabotAlerts: PermissionRead, + PermissionSecurityEvents: PermissionRead, + PermissionVulnerabilityAlerts: PermissionRead, }, }, { diff --git a/pkg/workflow/safe_outputs_app_config.go b/pkg/workflow/safe_outputs_app_config.go index 3d762dafe79..92b7bbddf7f 100644 --- a/pkg/workflow/safe_outputs_app_config.go +++ b/pkg/workflow/safe_outputs_app_config.go @@ -255,9 +255,6 @@ func convertPermissionsToAppTokenFields(permissions *Permissions) map[string]str if level, ok := permissions.GetExplicit(PermissionAdministration); ok { fields["permission-administration"] = string(level) } - if level, ok := permissions.GetExplicit(PermissionDependabotAlerts); ok { - fields["permission-dependabot-alerts"] = string(level) - } if level, ok := permissions.GetExplicit(PermissionEnvironments); ok { fields["permission-environments"] = string(level) }