Add copilot instructions and setup steps #4884
Conversation
| # Set the permissions to the lowest permissions possible needed for your steps. | ||
| # Copilot will be given its own token for its operations. | ||
| permissions: | ||
| # If you want to clone the repository as part of your setup steps, for example to install dependencies, you'll need the `contents: read` permission. If you don't clone the repository in your setup steps, Copilot will do this for you automatically after the steps complete. | ||
| contents: write # TEST: `uv` wasn't installed after the workflow succeded, maybe this is needed? | ||
| pull-requests: write # So copilot can add labels to the PR |
There was a problem hiding this comment.
there is another security finding here - I don't understand why it doesn't show in the PR as comment … https://github.com/python-telegram-bot/python-telegram-bot/security/code-scanning/120
Looking at https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-contents it does indeed look like contents-write should be avoided. I don't quite understand your comment either, tbh 😅
There was a problem hiding this comment.
I don't quite understand your comment either
So what happened was the uv was installed in the environment at the end of that workflow but when copilot tried to access it via uv, there was no uv binary to be found anywhere in the filesystem. So I thought changing this to "write" might fix that. Probably not, but it might be worth a try?
There was a problem hiding this comment.
Well, if you can confirm that this helps, I'm open to adding it. My understanding however is that contents: write means that the workflow is allowed to make changes in the git repo itself, not in the workflow-environment.
There was a problem hiding this comment.
I don't think I can tell @copilot to edit a file in this branch.. which means I don't have a way of testing it here. So I'll just revert for now and see what happens
Spinoff from #4875