Copilot · 2026-03-31T05:09:07Z

The detection job builder was double-indenting permission values by calling indentYAMLLines(" ") on output from RenderToYAML(), which already hard-codes 6-space indentation for permission values. The result was 10-space indentation instead of the correct 6, producing invalid YAML like:

  detection:
    permissions:
          copilot-requests: write  # ← 10 spaces (bug)

Changes

pkg/workflow/threat_detection.go: Remove the indentYAMLLines call on permissions — consistent with every other job builder (compiler_unlock_job.go, notify_comment.go, safe_outputs_jobs.go, etc.), which all assign RenderToYAML() output directly. The main job is the sole exception, and it correctly normalizes indentation via filterJobLevelPermissions() first before passing through indentYAMLLines.
pkg/workflow/threat_detection_test.go: Add regression test TestDetectionJobPermissionsIndentation verifying the rendered YAML has 6-space permission values and explicitly rejects 10-space indentation.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

https://api.github.com/graphql
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw --auto /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel gh /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw git /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/node/24.14.0/x64/bin/node /usr/bin/git vars.MY_VAR git /usr/bin/git git (http block)
https://api.github.com/orgs/test-owner/actions/secrets
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name g/workflow/compile_config_test.g-errorsas g/workflow/resolve.go x_amd64/vet g/workflow/featush g/workflow/safe_-c g/workflow/schemnpx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path ../../../.prettierignore x_amd64/vet g/wo�� g/workflow/reaction_none_test.go-errorsas g/workflow/engine_concurrency_in-ifaceassert x_amd64/vet gpg.program (http block)
- Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git (http block)
https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel 64/pkg/tool/linu-extld=gcc /usr/bin/git k/gh-aw/gh-aw/pkgit .cfg 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linutest@example.com /usr/bin/gh ../pkg/workflow/git /home/REDACTED/worrev-parse x_amd64/vet gh (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel node /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha ache/go/1.25.0/x--show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node /usr/bin/git ache/go/1.25.0/xrev-parse /usr/bin/git node js/f�� /usr/bin/git git /opt/hostedtoolcache/node/24.14.0/x64/bin/node /tmp/shared-actigit config -d node (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v3
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha SAvX/504qIP2Ap9KFrPf9SAvX l ache/node/24.14.0/x64/bin/node ignore-path ../.git g/workflow/triggrev-parse x_amd64/vet 6794400/b434/importcfg t-35�� sistency_WithImports2836400196/001/main.md k/gh-aw/gh-aw/pkg/parser/import_cycle_test.go /usr/bin/git g/workflow/compigit g/workflow/resolrev-parse x_amd64/vet git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha .cfg git /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel git 0/x64/bin/node --show-toplevel git /usr/bin/git git cjs --show-toplevel git ache/node/24.14.0/x64/bin/node licyBlockedUsersgit git ache/node/24.14.--show-toplevel git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v5
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha se 1149130/b321/vet.cfg 64/bin/bash (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha xterm-color ache/go/1.25.0/xconfig /usr/bin/git se 1149130/b089/vetrev-parse x_amd64/compile git rev-�� --show-toplevel x_amd64/compile /usr/bin/git */*.ts' '**/*.jsgit 1149130/b184/vetrev-parse tions/setup/node--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.0/xremote.origin.url /usr/bin/git te '../../../**/git -buildtags ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet n-dir/node --noprofile -tests /home/REDACTED/wor--show-toplevel git (http block)
https://api.github.com/repos/actions/checkout/git/ref/tags/v6
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.0/x-tests /usr/bin/git 1903-13973/test-git /tmp/go-build189rev-parse .cfg git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linutest@example.com /usr/bin/git te '../../../**/git -buildtags ache/go/1.25.0/x--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq .object.sha 2579472752/.github/workflows git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� --show-toplevel git (http block)
https://api.github.com/repos/actions/github-script/git/ref/tags/v8
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha g/workflow/compile_config_test.go g/workflow/resolve.go de g/workflow/featush g/workflow/safe_-c g/workflow/schemnpx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path x_amd64/vet /pre�� g/workflow/reaction_none_test.go-errorsas g/workflow/engine_concurrency_in-ifaceassert x_amd64/vet committer.email (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha it} --local x_amd64/vet committer.email (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha g/workflow/reaction_none_test.go-errorsas g/workflow/engine_concurrency_in-ifaceassert x_amd64/vet gpg.program (http block)
https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel 64/pkg/tool/linu-test.v=true /usr/bin/git --local .cfg 64/pkg/tool/linu--show-toplevel git -C /tmp/gh-aw-test-runs/20260331-051903-13973/test-2925028024 status /usr/bin/git .github/workflowgit --auto 64/pkg/tool/linu--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha 9525/001/stability-test.md git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --show-toplevel rop.prop.prop.prop.prop.prop.protest@example.com /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /opt/hostedtoolcache/node/24.14.0/x64/bin/node /usr/bin/git git /usr/bin/git node (http block)
https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha /tmp/file-tracker-test1684680640/test1.md /tmp/file-tracker-test1684680640/test2.lock.yml /usr/bin/git with-tools.md committer.email sh git rev-�� --git-dir 64/pkg/tool/linu-tests /usr/bin/git on' --ignore-patgit .cfg 64/pkg/tool/linu--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha 2579472752/.github/workflows git /usr/bin/git --show-toplevel /tmp/go-build285rev-parse repository(owne--show-toplevel git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha --show-toplevel 0/x64/bin/node /usr/bin/git /tmp/gh-aw-test-git config /usr/bin/infocmp--show-toplevel git rev-�� --show-toplevel infocmp /opt/hostedtoolcache/node/24.14.0/x64/bin/node xterm-color git /usr/bin/git node (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha /tmp/TestHashConsistency_GoAndJavaScript2089324890/001/test-inlined-imports-enabled-with-body-cogit 64/pkg/tool/linu-trimpath /usr/bin/git --local .cfg _modules/.bin/sh--show-toplevel git comm�� nt/action/git/ref/tags/v999.999.999 Add workflow /opt/hostedtoolcache/node/24.14.0/x64/bin/node on' --ignore-patgit .cfg 64/pkg/tool/linu--show-toplevel node (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel node /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 6794400/b450/tesrev-parse /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --show-topleve 8000 l git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha "prettier" --write 'scripts/**/*.js' --ignore-path .prettierignore --log-level=error (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git user.name Test User /usr/bin/git git comm�� tags/v5 Initial commit /usr/bin/git --get remote.origin.urrev-parse /usr/bin/infocmp--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git 0/x64/bin/node 2107-20218/test-git -type d -name brev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/link 0/x64/bin/node /tmp/go-build219git -importcfg /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha 1903-13973/test-2925028024 (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel -extld=gcc /usr/bin/git git conf�� user.name Test User /usr/bin/git --get remote.origin.urrev-parse /usr/bin/infocmp--show-toplevel git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git 0/x64/bin/node 2107-20218/test-git node /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node --show-toplevel resolved$ /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 1149130/b059/vet.cfg n-dir/node /home/REDACTED/worgit /home/REDACTED/worrev-parse /home/REDACTED/wor--show-toplevel ache/go/1.25.0/x64/pkg/tool/linu-trimpath tion�� 1418908136/.github/workflows 1149130/b222/vet.cfg ache/go/1.25.0/x64/pkg/tool/linu-lang=go1.25 (http block)
- Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� archie.md git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 1149130/b050/vet-w tions/node_modul-buildmode=exe /home/REDACTED/worgit /home/REDACTED/worrev-parse /home/REDACTED/wor--show-toplevel ache/go/1.25.0/x-extld=gcc tion�� se 1149130/b205/vet.cfg 0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh (http block)
- Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 6794400/b441/imprev-parse /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 1149130/b044/vetmain tions/setup/node-lang=go1.25 /home/REDACTED/worgit /home/REDACTED/worrev-parse /home/REDACTED/wor--show-toplevel ache/go/1.25.0/x-dwarf=false tion�� se 1149130/b213/vet-c=4 ache/go/1.25.0/x-nolocalimports (http block)
- Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 git /usr/bin/git --show-toplevel 0/x64/bin/node /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 6794400/b444/imprev-parse /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 1149130/b068/vet.cfg ache/go/1.25.0/x64/pkg/tool/linu-test.short=true /home/REDACTED/worgit /home/REDACTED/worinit /home/REDACTED/work/gh-aw/gh-aw/pk--get ache/go/1.25.0/x64/pkg/tool/linuremote.origin.url tion�� 1418908136/.github/workflows 1149130/b230/vet.cfg n-dir/sh (http block)
- Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 1149130/b051/vet.cfg 86_64/node /home/REDACTED/worgit /home/REDACTED/worrev-parse /home/REDACTED/wor--show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet tion�� 1418908136/.github/workflows 1149130/b224/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 git At,event,headBranch,headSha,displayTitle --show-toplevel 0/x64/bin/node /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 1149130/b056/vet.cfg ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet /home/REDACTED/worgit /home/REDACTED/worrev-parse /home/REDACTED/wor--show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/vet tion�� 1418908136/.github/workflows 1149130/b226/vet.cfg 0/x64/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/sh (http block)
- Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 git /usr/bin/git --show-toplevel /opt/hostedtoolcconfig /usr/bin/git git rev-�� --show-toplevel git 0/x64/bin/node tmp/TestGetNpmBigit git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 1149130/b128/vet.cfg 64/bin/node /home/REDACTED/wornode /home/REDACTED/wor/tmp/js-hash-test-2816410188/test-hash.js /home/REDACTED/wor/home/REDACTED/work/gh-aw/gh-aw/.github/workflows/ace-editor.md ache/go/1.25.0/x64/pkg/tool/linurev-parse tion�� 1418908136/.github/workflows 1149130/b225/vet.cfg 86_64/sh (http block)
- Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git rev-�� archie.md git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path get --local x_amd64/vet credential.helpenode (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
- Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel x_amd64/compile /usr/bin/git ty-test.md 1149130/b097/vetrev-parse 0/x64/bin/node git rev-�� --show-toplevel ache/go/1.25.0/x64/pkg/tool/linurev-parse /usr/bin/git mpiledOutput3285git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha ithub/workflows git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel node /usr/bin/git git (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha */*.ts' '**/*.js@{u} 1149130/b116/vet.cfg tions/node_modules/.bin/sh (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel x_amd64/vet /usr/bin/git --write **/*.cjs /home/REDACTED/wor--show-toplevel git rev-�� --show-toplevel sh /usr/bin/git "prettier" --wrigit (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha w/js/**/*.json' --ignore-path credential.usern../../../.prettierignore 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linu/tmp/js-hash-test-4242952929/test-hash.js /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel /opt/hostedtoolcrev-parse /usr/bin/git git (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha w/js/**/*.json' --ignore-path credential.usern../../../.prettierignore 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --local credential.username 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha --local credential.helper x_amd64/vet (http block)
https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha w/js/**/*.json' --ignore-path credential.usern../../../.prettierignore 64/pkg/tool/linux_amd64/vet (http block)
- Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel 64/pkg/tool/linu-C /usr/bin/git git (http block)
https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha */*.ts' '**/*.json' --ignore-pat-c=4 1149130/b160/vet.cfg ules/.bin/sh (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel node /usr/bin/git --write **/*.cjs 0/x64/bin/node git rev-�� --show-toplevel sh /usr/bin/git ithub/workflows/git (http block)
- Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha --show-toplevel git r,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --show-toplevel flow-test-12345 /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/nonexistent/repo/actions/runs/12345
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion (http block)
- Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion --show-toplevel nly /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel git /usr/bin/git git (http block)
https://api.github.com/repos/owner/repo/actions/workflows
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/vet credential.helpenode (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/vet credential.helpesh (http block)
- Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git (http block)
https://api.github.com/repos/owner/repo/contents/file.md
- Triggering command: /tmp/go-build1976794400/b404/cli.test /tmp/go-build1976794400/b404/cli.test -test.testlogfile=/tmp/go-build1976794400/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true http.https://gitnode (http block)
- Triggering command: /tmp/go-build2190593194/b378/cli.test /tmp/go-build2190593194/b378/cli.test -test.testlogfile=/tmp/go-build2190593194/b378/testlog.txt -test.paniconexit0 -test.timeout=10m0s rev-�� HEAD git /usr/bin/git --git-dir x_amd64/link /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git (http block)
https://api.github.com/repos/test-owner/test-repo/actions/secrets
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name g/workflow/compile_config_test.g-errorsas g/workflow/resolve.go x_amd64/vet g/workflow/featush g/workflow/safe_-c g/workflow/schemnpx prettier --write '../../../**/*.json' '!../../../pkg/workflow/js/**/*.json' --ignore-path x_amd64/vet /pre�� g/workflow/reaction_none_test.go-errorsas g/workflow/engine_concurrency_in-ifaceassert x_amd64/vet gpg.program (http block)
- Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name --show-toplevel git /usr/bin/git --show-toplevel ache/go/1.25.0/xrev-parse /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git 4 -type d -namegit ache/go/1.25.0/xrev-parse /usr/bin/git git (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

The detection job builder was incorrectly calling indentYAMLLines on the output of RenderToYAML(), which already uses 6-space indentation for permission values. This caused each permission value to be indented by 10 spaces (6 from RenderToYAML + 4 from indentYAMLLines) instead of the correct 6 spaces. The fix removes the unnecessary indentYAMLLines call for permissions in threat_detection.go, consistent with how other job builders (unlock, notify_comment, safe_outputs_jobs) handle permissions. Only the main job uses indentYAMLLines on permissions, and that path correctly calls filterJobLevelPermissions first to normalize from 6 to 2 spaces before adding 4 back via indentYAMLLines. Adds a regression test in threat_detection_test.go that verifies the correct 6-space indentation of permission values and rejects the previously-buggy 10-space indentation. Agent-Logs-Url: https://github.com/github/gh-aw/sessions/a49f053f-68d3-415f-b830-a3566dece6ba Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Copilot

Pull request overview

Fixes invalid GitHub Actions YAML emitted by the threat detection job when job-level permissions are present, by removing an extra indentation pass that caused permission scope lines to be over-indented.

Changes:

Stop re-indenting Permissions.RenderToYAML() output in buildDetectionJob, restoring correct job-level YAML formatting.
Add a regression test to ensure copilot-requests: write is rendered with the expected 6-space indentation and that the prior 10-space indentation does not appear.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
pkg/workflow/threat_detection.go	Removes the extra `indentYAMLLines` call so permission value lines remain correctly indented by `Permissions.RenderToYAML()`.
pkg/workflow/threat_detection_test.go	Adds a regression test that asserts correct permissions indentation (and rejects the previous over-indented form).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

github-actions · 2026-03-31T05:34:39Z

Hey @Copilot 👋 — great work on tracking down and squashing this double-indentation bug in the detection job builder! The fix is clean, well-explained, and the regression test covers both the happy path and the explicit rejection of the broken 10-space form. This PR looks ready for maintainer review. 🎉

Contribution Check Summary

Check	Result
On-topic	✅ Yes
Follows process	✅ Yes — Copilot agent PR, core team assigned
Focused	✅ Yes — single bug fix + regression test
New dependencies	✅ No
Has tests	✅ Yes — `TestDetectionJobPermissionsIndentation` added
Has description	✅ Yes — clear root-cause analysis in PR body
Diff size	82 lines (81 additions, 1 deletion)

Verdict: 🟢 Aligned — No issues found. The PR follows the project's agentic development process, is tightly scoped to one bug, includes a solid regression test, and the description clearly explains the root cause and the fix pattern observed in sibling job builders (compiler_unlock_job.go, notify_comment.go, safe_outputs_jobs.go).

Generated by Contribution Check · ◷

Initial plan

6d98736

Copilot AI assigned Copilot and pelikhan Mar 31, 2026

Copilot started work on behalf of pelikhan March 31, 2026 05:09 View session

Copilot AI linked an issue Mar 31, 2026 that may be closed by this pull request

defect: YAML indentation bug in compiler causes job permissions block to be mis-indented #23643

Closed

3 tasks

Copilot AI changed the title ~~[WIP] Fix YAML indentation issue in compiler for job permissions~~ fix: correct YAML indentation for detection job permissions block Mar 31, 2026

Copilot AI requested a review from pelikhan March 31, 2026 05:25

Copilot finished work on behalf of pelikhan March 31, 2026 05:25

pelikhan marked this pull request as ready for review March 31, 2026 05:26

Copilot AI review requested due to automatic review settings March 31, 2026 05:26

Copilot started reviewing on behalf of pelikhan March 31, 2026 05:27 View session

Copilot AI reviewed Mar 31, 2026

View reviewed changes

pelikhan approved these changes Mar 31, 2026

View reviewed changes

pelikhan merged commit 98b01af into main Mar 31, 2026
179 checks passed

github-actions bot added the lgtm label Mar 31, 2026

pelikhan deleted the copilot/fix-yaml-indentation-bug branch March 31, 2026 05:34

This was referenced Mar 31, 2026

[Contribution Check Report] Contribution Check — 2026-03-31 #23623

Closed

[code-simplifier] refactor: simplify detection job permissions and WASM result building #23651

Merged

[instructions] Sync github-agentic-workflows.md with release v0.65.0 #23669

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: correct YAML indentation for detection job permissions block#23647

fix: correct YAML indentation for detection job permissions block#23647
pelikhan merged 2 commits intomainfrom
copilot/fix-yaml-indentation-bug

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Uh oh!

Changes

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants