Skip to content

docs: Remove write permissions from all examples, use safe-outputs pattern#3576

Merged
pelikhan merged 2 commits into
docs/unbloat-permissions-07a13c3cab7546f7from
copilot/sub-pr-3575
Nov 11, 2025
Merged

docs: Remove write permissions from all examples, use safe-outputs pattern#3576
pelikhan merged 2 commits into
docs/unbloat-permissions-07a13c3cab7546f7from
copilot/sub-pr-3575

Conversation

Copilot AI commented Nov 10, 2025

Copy link
Copy Markdown
Contributor

Removed all direct write permissions from documentation examples per feedback that write permissions are not recommended in agentic workflows. All examples now follow the recommended pattern: read-only permissions with write operations handled through safe-outputs.

Changes

Top-level example - Replaced issues: write / pull-requests: write with actions: read + safe-outputs:

permissions:
  contents: read
  actions: read
safe-outputs:
  create-issue:
  add-comment:

Security-First Design - Changed principle from "Explicit permissions" to "No direct write permissions"

Configuration examples - All configuration examples now demonstrate safe-outputs pattern instead of direct write permissions

Shorthand options - Moved write-all from bullet list to caution callout explicitly warning against write permissions

Common Patterns - Removed write permissions from all four workflow patterns:

  • IssueOps: contents: read + actions: read with add-comment safe output
  • PR Review: contents: read + actions: read with create-pr-review-comment safe output
  • Scheduled: contents: read + actions: read with create-issue safe output
  • Manual: read-all with approval gate (unchanged)

Validation errors - Updated to reference "direct write permissions in the main job" instead of generic "write permissions without safe outputs"

Screenshots

Updated permissions page showing recommended pattern:
Permissions page

Common patterns with read-only + safe-outputs approach:
Common patterns


💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot AI commented Nov 10, 2025

Copy link
Copy Markdown
Contributor Author

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • telemetry.astro.build
    • Triggering command: node /home/REDACTED/work/gh-aw/gh-aw/docs/node_modules/.bin/astro dev (dns block)
    • Triggering command: node /home/REDACTED/work/gh-aw/gh-aw/docs/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] Remove bloat from permissions.md documentation docs: Remove write permissions from all examples, use safe-outputs pattern Nov 10, 2025
Copilot AI requested a review from pelikhan November 10, 2025 23:41
@pelikhan pelikhan marked this pull request as ready for review November 11, 2025 00:30
@pelikhan pelikhan merged commit c4e342e into docs/unbloat-permissions-07a13c3cab7546f7 Nov 11, 2025
@pelikhan pelikhan deleted the copilot/sub-pr-3575 branch November 11, 2025 00:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants