Conformance Check Failure

Check ID: IMP-002
Severity: HIGH
Category: Implementation

Problem Description

The safe outputs permission computation implementation file pkg/workflow/safe_outputs_permissions.go is missing from the repository. This file is required to define the ComputePermissionsForSafeOutputs function, which dynamically computes the minimum required GitHub token permissions based on which safe output types are configured in a workflow.

Without this file, the permission computation logic is absent, which could cause workflows to use overly broad permissions or fail to correctly validate required permissions at generation time.

Affected Components

• Missing file: pkg/workflow/safe_outputs_permissions.go
• Existing test file: pkg/workflow/safe_outputs_permissions_test.go (tests exist but no implementation)
• Conformance checker: scripts/check-safe-outputs-conformance.sh (IMP-002 check)

Current Behavior

The file pkg/workflow/safe_outputs_permissions.go does not exist. The conformance checker checks for this file and the presence of ComputePermissionsForSafeOutputs within it.

Expected Behavior

Per the Safe Outputs specification, permission computation must:

1. Accept a *SafeOutputsConfig and return the minimum required map[PermissionScope]PermissionLevel
2. Return an empty map when config is nil
3. Grant contents: read and issues: write for any issue-related output types
4. Grant discussions: write for discussion-related output types
5. Grant pull-requests: write for pull request output types

The existing test file (pkg/workflow/safe_outputs_permissions_test.go) defines the full expected behavior via TestComputePermissionsForSafeOutputs test cases.

Remediation Steps

This task can be assigned to a Copilot coding agent with the following steps:

1. Create pkg/workflow/safe_outputs_permissions.go in the workflow package
2. Implement ComputePermissionsForSafeOutputs(safeOutputs *SafeOutputsConfig) map[PermissionScope]PermissionLevel that:
   • Returns an empty map if safeOutputs == nil
   • Adds PermissionContents: PermissionRead as a baseline when any output is configured
   • Adds PermissionIssues: PermissionWrite for CreateIssues, UpdateIssues, CloseIssues, CreateComments, etc.
   • Adds PermissionDiscussions: PermissionWrite for CreateDiscussions, CloseDiscussions
   • Adds PermissionPullRequests: PermissionWrite for pull-request related outputs
3. Run existing tests to verify: go test ./pkg/workflow/... -run TestComputePermissionsForSafeOutputs
4. Run the conformance checker to confirm IMP-002 passes

Verification

After remediation, verify the fix by running:

bash scripts/check-safe-outputs-conformance.sh

The check IMP-002 should pass with: [PASS] IMP-002: Permission computation function exists

Also run the existing unit tests:

go test ./pkg/workflow/... -run TestComputePermissionsForSafeOutputs -v

References

• Safe Outputs Specification: docs/src/content/docs/reference/safe-outputs-specification.md
• Conformance Checker: scripts/check-safe-outputs-conformance.sh
• Existing test file: pkg/workflow/safe_outputs_permissions_test.go
• Run ID: §22865094490
• Date: 2026-03-09

Generated by Daily Safe Outputs Conformance Checker · ◷

• expires on Mar 10, 2026, 5:07 PM UTC