Bug
The gh aw upgrade codemod "Convert write permissions to read" blindly converts all write permission values to read, including id-token.
However, id-token only accepts write or none — read is not a valid value. This causes compilation to fail:
.github/workflows/sdk-generation-agent.md:26:13: error: 'id-token': value must be one of 'write', 'none'
Steps to Reproduce
- Have a workflow with
id-token: write in the permissions block
- Run
gh aw upgrade
- The codemod changes
id-token: write to id-token: read
- Compilation fails
Expected Behavior
The codemod should skip id-token since it only accepts write or none.
Versions
- gh-aw: v0.68.0 (also reproduced on v0.67.4)
- OS: Linux x86_64
Bug
The
gh aw upgradecodemod "Convert write permissions to read" blindly converts allwritepermission values toread, includingid-token.However,
id-tokenonly acceptswriteornone—readis not a valid value. This causes compilation to fail:Steps to Reproduce
id-token: writein the permissions blockgh aw upgradeid-token: writetoid-token: readExpected Behavior
The codemod should skip
id-tokensince it only acceptswriteornone.Versions