[SPIKE] Expand FGP per-tool permission annotations + consolidate docs#2679
Draft
SamMorrowDrums wants to merge 5 commits into
Draft
Conversation
Expand RequiredPermissions annotations across the remaining clearly-mappable tools (discussions, git, issues, labels, pull requests, repositories/stargazers, and the granular issue/PR write tools) so the generated fine-grained-permission table in docs/permissions-filtering.md is comprehensive. Stop rendering the per-tool "Required Permissions (fine-grained)" line in the large generated tool listings (README, feature-flags.md, insiders-features.md): it cluttered those listings. The consolidated requirement table now lives solely in docs/permissions-filtering.md, and the README Tools section links to it. Permission catalog and tool behaviour are unchanged; only annotations and generated docs are affected. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Annotate the remaining clearly-mappable tools with RequiredPermissions and regenerate the permissions docs table from the tool definitions: - repos: create_repository, fork_repository (administration:write); list_repository_collaborators (administration:read) - context: get_teams, get_team_members (members:read) - projects: projects_get/list (organization_projects:read), projects_write (organization_projects:write) - issues: list_issue_fields (issues:read) list_issue_types stays ungated (org-level issue-type config has no clean repo/org catalog permission). Docs table grows 50->58 rows and is idempotent. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- list_repository_collaborators: administration:read -> metadata:read (the list endpoint requires Fine-grained Metadata read; administration only covers adding/removing collaborators) - create_repository, fork_repository: revert to ungated (administration mapping is genuinely ambiguous between user- and org-owned repos) - projects_get/list/write: revert to ungated (ProjectsV2 GraphQL does not map cleanly to the classic repository_projects/organization_projects catalog consts) get_teams/get_team_members keep members:read; list_issue_fields keeps issues:read. Docs table regenerated (idempotent). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The collaborators list endpoint requires write/maintain/admin repo privileges (and read:org for classic tokens), so it is not a low-privilege metadata read. administration:read is the better-grounded best-guess. Docs table regenerated (idempotent). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Verify per-tool fine-grained permissions against the GitHub REST docs' embedded permission sets (progAccess.permissions): - merge_pull_request: contents:write only (was contents:write AND pull_requests:write) - update_pull_request_branch: pull_requests:write only (was contents:write AND pull_requests:write) - list_repository_collaborators: metadata:read (was administration:read) - create_repository: re-add administration:write - fork_repository: re-add administration:write AND contents:read Regenerate docs/permissions-filtering.md (55 rows; idempotent). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Note
Stacked on #2676. Base branch is
sammorrowdrums/fgp-requirements, notmain. Review #2676 first. This PR only adds per-toolRequiredPermissionsannotations and the docs they generate — it changes no runtime behaviour.What this does
Expands the per-tool fine-grained-permission (FGP)
RequiredPermissionsannotations introduced by #2676 across the clearly-mappable tools, then regenerates the docs that are built from those annotations.The pipeline is the same as the existing scope-filtering docs:
.WithPermissions(permissions.Require(...))annotation on itsServerTool.docs/permissions-filtering.mdis generated, never hand-edited. Re-running the generator is idempotent (zero diff on a second run).list-permissionsCLI reads the same inventory, so it stays consistent with the table.docs/permissions-filtering.md.How the permissions were verified
Per-tool requirements were verified against the GitHub REST docs' embedded fine-grained permissions — the rendered "The fine-grained token must have the following permission set: …" line on each endpoint's docs page (from the page's
progAccess.permissions). Only the public OpenAPI (api.github.com.json) omits this data; the docs pages carry it, so they are the source used here. Only GraphQL-only tools (ProjectsV2, issue-fields) lack a docs-REST source and remain best-guess or ungated.Semantics (from #2676): a requirement is an OR of AND-sets.
permissions.Require(a, b)is a single AND-set (the token needsaandb). Reads map to*:read, mutations to*:write.Guardrails held: only consts that exist in
pkg/permissions/catalog_generated.goare used (none invented); the catalog itself is not regenerated (that hits the network — #2676 owns it); genuinely non-FGP tools stay ungated.Authoritative (verified against the REST docs' embedded permissions)
actions_get,actions_list,get_job_logsactions:readactions_run_triggeractions:writeget_code_scanning_alert,list_code_scanning_alertssecurity_events:readget_teams,get_team_membersmembers:readget_dependabot_alert,list_dependabot_alertsvulnerability_alerts:readget_discussion,get_discussion_comments,list_discussions,list_discussion_categoriesdiscussions:readdiscussion_comment_writediscussions:writeget_repository_treecontents:readissue_read,list_issues,get_labelissues:readissue_write,add_issue_comment,sub_issue_writeissues:writelist_label,get_labelissues:readlabel_writeissues:writepull_request_read,list_pull_requestspull_requests:readcreate_pull_request,update_pull_request,pull_request_review_write,add_comment_to_pending_review,add_reply_to_pull_request_comment,update_pull_request_branchpull_requests:writemerge_pull_requestcontents:writeget_file_contents,get_commit,list_commits,list_branches,list_tags,get_tag,list_releases,get_latest_release,get_release_by_tagcontents:readcreate_or_update_file,push_files,delete_file,create_branchcontents:writelist_repository_collaboratorsmetadata:readcreate_repositoryadministration:writefork_repositoryadministration:write AND contents:readget_secret_scanning_alert,list_secret_scanning_alertssecret_scanning_alerts:readlist_starred_repositoriesstarring:readstar_repository,unstar_repositorystarring:writeNotes on the two asymmetric PR endpoints and the repo-management ones (all docs-verified):
merge_pull_request→ Contents:write only (docs "Merge a pull request";pull_requests:writeis not required, so requiring it would over-hide the tool for a contents-only token).update_pull_request_branch→ Pull requests:write only (docs "Update a pull request branch";contents:writenot required).list_repository_collaborators→ Metadata:read (docs "List repository collaborators").create_repository→ Administration:write (POST /user/reposandPOST /orgs/{org}/repos).fork_repository→ Administration:write AND Contents:read (docs "Create a fork").star_repository/unstar_repository→starring:write. (Docs also list Metadata:read, omitted here as the universal baseline — consistent with the rest of the set, which doesn't spell out implicitmetadata:read.)Best-guess (one entry, flagged for review)
list_issue_fieldsissues:readissues:readis the closest catalog const. Feature-flag-gated, so it appears inlist-permissions --toolsets=allbut not in the docs table.Intentionally ungated (no clear public FGP mapping)
projects_get,projects_list,projects_writeorganization_projectsconst is a poor fit (deprecated, wrong scope shape).search_*(search_code,search_issues,search_pull_requests,search_repositories,search_users,search_orgs,search_commits)get_meassign_copilot_to_issue,request_copilot_reviewcreate_gist,get_gist,list_gists,update_gistlist_notificationslist_global_security_advisories,get_global_security_advisory,list_repository_security_advisories,list_org_repository_security_advisorieslist_issue_typesValidation
go build ./...✅script/generate-docs✅ — table is 55 rows; second run produces zero diff (idempotent).bin/golangci-lint run ./pkg/github/... ./cmd/...✅ — 0 issues.go test -race ./...✅ — all packages pass.