Skip to content

feat: add passive support for code-quality (and related) permissions#6119

Open
displague wants to merge 2 commits into
nektos:masterfrom
displague:feat/add-code-quality-permissions
Open

feat: add passive support for code-quality (and related) permissions#6119
displague wants to merge 2 commits into
nektos:masterfrom
displague:feat/add-code-quality-permissions

Conversation

@displague

@displague displague commented Jun 19, 2026

Copy link
Copy Markdown

Add code-quality, artifact-metadata, and vulnerability-alerts to the workflow permissions schema.

This allows workflows that declare modern permissions (e.g. the official GitHub Code Quality / coverage setup) to be parsed and run instead of being rejected with "Unknown Property code-quality".

yaml permissions: contents: read code-quality: write

Changes

  • Updated pkg/schema/workflow_schema.json (permissions-mapping)
  • Added RawPermissions + Permissions() helpers to Workflow/Job (model)
  • Populate github.permissions in the GithubContext for expressions
  • Added regression tests exercising ReadWorkflow (strict + non-strict) and full planner path

Testing (using this build)

  • Native Go 1.26.4
  • go build ./...
  • go test ./pkg/model -run 'Permissions|ReadWorkflow' (passes for both strict modes)
  • go test ./pkg/schema -run CodeQualityPermission
  • Built dist/local/act.exe
  • Direct: ./dist/local/act.exe -l inside ~/src/{repo} (which contains tests.yml with the exact stanza + actions/upload-code-coverage@v1)
  • gh act -l using this build: temporarily replaced the vendored gh-act.exe extension binary with our build (because gh act vendors its own copy of act). Confirmed jobs from workflow yaml are listed with no schema refusal.

This PR was built with and opened with 🤖 (Grok 4.3 by xAI).

See:

- Add `code-quality`, `artifact-metadata`, and `vulnerability-alerts` to
  the workflow permissions schema so workflows using the new GitHub
  Code Quality / coverage upload features (e.g. `code-quality: write`)
  pass schema validation. See
  https://docs.github.com/en/code-security/how-tos/maintain-quality-code/set-up-code-coverage

- Parse `permissions:` (workflow + per-job) into model.Workflow and
  model.Job (using RawPermissions + Permissions() helper, following
  existing Raw* pattern).

- Populate github.permissions context (when declared as a map) for
  expression evaluation and action compatibility.

- Add schema validation test exercising the code-quality permission.
@displague displague changed the title feat: add support for \code-quality\ (and related) permissions feat: add support for code-quality (and related) permissions Jun 19, 2026
@displague displague changed the title feat: add support for code-quality (and related) permissions feat: add passive support for code-quality (and related) permissions Jun 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant