Skip to content

Fix missing id-token: write on activation/conclusion/safe_outputs jobs for OTLP OIDC audience-only auth#45823

Merged
pelikhan merged 4 commits into
mainfrom
copilot/fix-id-token-permission-issue
Jul 16, 2026
Merged

Fix missing id-token: write on activation/conclusion/safe_outputs jobs for OTLP OIDC audience-only auth#45823
pelikhan merged 4 commits into
mainfrom
copilot/fix-id-token-permission-issue

Conversation

Copilot AI commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

When observability.otlp.github-app is configured with audience only (credential-less OIDC mode — no app-id/private-key), the compiler injects a "Mint OTLP OIDC token" step into every span-emitting job but only granted id-token: write to detection and evals. The activation, conclusion, and safe_outputs jobs received the mint step without the permission, failing at runtime with Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable.

Permissions fix

Added the existing guard from threat_detection_job.go to the three missing builders:

if hasOTLPGitHubOIDCAuth(data.ParsedFrontmatter, data.RawFrontmatter) {
    perms.Set(PermissionIdToken, PermissionWrite)
}
  • compiler_activation_permissions.gobuildActivationBasePermissions
  • notify_comment.go — conclusion job, after ComputePermissionsForSafeOutputs
  • compiler_safe_outputs_job.go — safe_outputs job, after ComputePermissionsForSafeOutputs

Schema fix

audience was already present in OTLPGitHubAppConfig and read from raw frontmatter, but was absent from the JSON schema (additionalProperties: false caused a validation error on any workflow using it). Added audience to the observability.otlp.github-app schema properties and updated the parser test that previously expected it to be rejected.

Regression test

otlp_oidc_permissions_test.go compiles a workflow with audience-only OTLP config and asserts that each of activation, conclusion, and safe_outputs: (a) contains id: mint-otlp-oidc-token in its job section, and (b) declares id-token: write.

Copilot AI and others added 2 commits July 15, 2026 22:03
…obs for OTLP OIDC auth

When observability.otlp.github-app is configured with audience-only (credential-less
OIDC mode, no app-id/private-key), three jobs were missing the id-token: write
permission needed to call core.getIDToken(audience):
- activation job (compiler_activation_permissions.go)
- conclusion job (notify_comment.go)
- safe_outputs job (compiler_safe_outputs_job.go)

Also adds 'audience' as a valid property in the observability.otlp.github-app JSON
schema, fixing a related schema validation error that blocked the audience-only config.

Adds a regression test (otlp_oidc_permissions_test.go) that compiles a workflow with
audience-only OTLP config and asserts all three jobs get id-token: write.

Fixes #45755

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix missing id-token: write permission for jobs Fix missing id-token: write on activation/conclusion/safe_outputs jobs for OTLP OIDC audience-only auth Jul 15, 2026
Copilot AI requested a review from pelikhan July 15, 2026 22:05
@pelikhan pelikhan marked this pull request as ready for review July 15, 2026 22:07
Copilot AI review requested due to automatic review settings July 15, 2026 22:07

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes OTLP audience-only OIDC authentication across compiler-generated jobs.

Changes:

  • Grants id-token: write to activation, conclusion, and safe-output jobs.
  • Adds audience to schema validation.
  • Adds regression coverage and a patch changeset.
Show a summary per file
File Description
pkg/workflow/otlp_oidc_permissions_test.go Tests OIDC steps and permissions.
pkg/workflow/notify_comment.go Grants conclusion-job OIDC permission.
pkg/workflow/compiler_safe_outputs_job.go Grants safe-output-job OIDC permission.
pkg/workflow/compiler_activation_permissions.go Grants activation-job OIDC permission.
pkg/parser/schemas/main_workflow_schema.json Adds the OTLP audience field.
pkg/parser/schema_test.go Verifies audience is accepted.
.changeset/patch-fix-otlp-oidc-id-token-permissions.md Documents the patch release.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 7/7 changed files
  • Comments generated: 1
  • Review effort level: Medium

Comment on lines +11178 to +11180
"audience": {
"type": "string",
"description": "Optional OIDC audience passed to core.getIDToken(audience) when using credential-less OIDC mode (github-app present without app-id/private-key). Leave omitted to use the default audience."
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, address any outstanding review feedback, confirm the OIDC permission fix is complete, and rerun checks if additional changes are needed before maintainer review.

Generated by 👨‍🍳 PR Sous Chef · 8.83 AIC · ⌖ 6 AIC · ⊞ 7.5K ·
Comment /souschef to run again

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

@copilot please run the pr-finisher skill, address any outstanding review feedback, confirm the OIDC permission fix is complete, and rerun checks if additional changes are needed before maintainer r...

Addressed in 6d00671. I refreshed the generated schema consumers so observability.otlp.github-app.audience is now present in /home/runner/work/gh-aw/gh-aw/docs/public/editor/autocomplete-data.json and /home/runner/work/gh-aw/gh-aw/docs/src/content/docs/reference/frontmatter-full.md, and I revalidated the OIDC fix locally with make fmt, make lint, make test-unit, make test, make recompile, plus the targeted parser/workflow regression tests. CI on the new head is still stale until a maintainer re-triggers it.

@github-actions

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category bug
Risk medium
Score 72 / 100
Action fast_track

Score breakdown: Impact 38 + Urgency 22 + Quality 12

Fixes missing id-token: write permission on activation, conclusion, and safe_outputs jobs when using OTLP OIDC audience-only mode. Without this fix, OIDC token minting steps silently fail. Compiler + permissions change with tests (9 files). CI unknown — awaiting checks.

Run §29462479491

Generated by 🔧 PR Triage Agent · 189.6 AIC · ⌖ 5.52 AIC · ⊞ 5.6K ·

@pelikhan pelikhan merged commit f29a9c8 into main Jul 16, 2026
29 checks passed
@pelikhan pelikhan deleted the copilot/fix-id-token-permission-issue branch July 16, 2026 04:19
@github-actions

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

OTLP OIDC audience auth: id-token: write missing on activation/conclusion/safe_outputs jobs → "Unable to get ACTIONS_ID_TOKEN_REQUEST_URL"

4 participants