Skip to content

fix: add models:read permission for GitHub Models API#463

Merged
stranske merged 3 commits intomainfrom
fix/models-permission
Jan 2, 2026
Merged

fix: add models:read permission for GitHub Models API#463
stranske merged 3 commits intomainfrom
fix/models-permission

Conversation

@stranske
Copy link
Copy Markdown
Owner

@stranske stranske commented Jan 2, 2026
edited by agents-workflows-bot bot
Loading

Source: Issue #459

Automated Status Summary

Scope

  • After merging PR chore(codex): bootstrap PR for issue #101 #103 (multi-agent routing infrastructure), we need to:
  • 1. Validate the CLI agent pipeline works end-to-end with the new task-focused prompts
  • 2. Add GITHUB_STEP_SUMMARY output so iteration results are visible in the Actions UI
  • 3. Streamline the Automated Status Summary to reduce clutter when using CLI agents
  • 4. Clean up comment patterns to avoid a mix of old UI-agent and new CLI-agent comments

Tasks

  • ### Pipeline Validation
  • After PR chore(codex): bootstrap PR for issue #101 #103 merges, create a test PR with agent:codex label
  • Verify task appendix appears in Codex prompt (check workflow logs)
  • Verify Codex works on actual tasks (not random infrastructure work)
  • Verify keepalive comment updates with iteration progress
  • ### GITHUB_STEP_SUMMARY
  • Add step summary output to agents-keepalive-loop.yml after agent run
  • Include: iteration number, tasks completed, files changed, outcome
  • Ensure summary is visible in workflow run UI
  • ### Conditional Status Summary
  • Modify buildStatusBlock() in agents_pr_meta_update_body.js to accept agentType parameter
  • When agentType is set (CLI agent): hide workflow table, hide head SHA/required checks
  • Keep Scope/Tasks/Acceptance checkboxes for all cases
  • Pass agent type from workflow to the update_body job
  • ### Comment Pattern Cleanup
  • For CLI agents (agent:* label):
  • Suppress <!-- gate-summary: --> comment posting (use step summary instead)
  • Suppress <!-- keepalive-round: N --> instruction comments (task appendix replaces this)
  • Update <!-- keepalive-loop-summary --> to be the single source of truth
  • Ensure state marker is embedded in the summary comment (not separate)
  • For UI Codex (no agent:* label):
  • Keep existing comment patterns (instruction comments, connector bot reports)
  • Keep <!-- gate-summary: --> comment
  • Add agent_type output to detect job so downstream workflows know the mode
  • Update agents-pr-meta.yml to conditionally skip gate summary for CLI agent PRs

Acceptance criteria

  • CLI agent receives explicit tasks in prompt and works on them
  • Iteration results visible in Actions workflow run summary
  • PR body shows checkboxes but not workflow clutter when using CLI agents
  • UI Codex path (no agent label) continues to show full status summary
  • CLI agent PRs have ≤3 bot comments total (summary, one per iteration update) instead of 10+
  • State tracking is consolidated in the summary comment, not scattered
  • ## Dependencies
  • - Requires PR chore(codex): bootstrap PR for issue #101 #103 to be merged first
  • Head SHA: dbe2ff0
  • Latest Runs: ❔ in progress — Agents PR meta manager
  • Required: gate: ⏸️ not started
  • | Workflow / Job | Result | Logs |
  • |----------------|--------|------|
  • | Agents PR meta manager | ❔ in progress | View run |
  • Head SHA: e16dbd9
  • Latest Runs: ✅ success — Gate
  • Required: gate: ✅ success
  • | Workflow / Job | Result | Logs |
  • |----------------|--------|------|
  • | Agents PR meta manager | ❔ in progress | View run |
  • | CI Autofix Loop | ✅ success | View run |
  • | Copilot code review | ❔ in progress | View run |
  • | Gate | ✅ success | View run |
  • | Health 40 Sweep | ✅ success | View run |
  • | Health 44 Gate Branch Protection | ✅ success | View run |
  • | Health 45 Agents Guard | ✅ success | View run |
  • | Health 50 Security Scan | ✅ success | View run |
  • | Maint 52 Validate Workflows | ✅ success | View run |
  • | PR 11 - Minimal invariant CI | ✅ success | View run |
  • | Selftest CI | ✅ success | View run |
  • Head SHA: ac4aa0e
  • Latest Runs: ✅ success — Gate
  • Required: gate: ✅ success
  • | Workflow / Job | Result | Logs |
  • |----------------|--------|------|
  • | Agents PR meta manager | ❔ in progress | View run |
  • | CI Autofix Loop | ✅ success | View run |
  • | Gate | ✅ success | View run |
  • | Health 40 Sweep | ✅ success | View run |
  • | Health 44 Gate Branch Protection | ✅ success | View run |
  • | Health 45 Agents Guard | ✅ success | View run |
  • | Health 50 Security Scan | ✅ success | View run |
  • | Maint 52 Validate Workflows | ❌ failure | View run |
  • | PR 11 - Minimal invariant CI | ✅ success | View run |
  • | Selftest CI | ✅ success | View run |
  • | Validate Sync Manifest | ✅ success | View run |

Head SHA: 0012c71
Latest Runs: ✅ success — Gate
Required: gate: ✅ success

Workflow / Job Result Logs
Agents PR meta manager ❔ in progress View run
CI Autofix Loop ✅ success View run
Gate ✅ success View run
Health 40 Sweep ✅ success View run
Health 44 Gate Branch Protection ✅ success View run
Health 45 Agents Guard ✅ success View run
Health 50 Security Scan ✅ success View run
Maint 52 Validate Workflows ✅ success View run
PR 11 - Minimal invariant CI ✅ success View run
Selftest CI ✅ success View run
Validate Sync Manifest ✅ success View run

@stranske
fix: add models:read permission for GitHub Models API
b3abed1 
The LLM provider chain uses GitHub Models as primary provider.
The GITHUB_TOKEN needs models:read permission to access the API.

Without this permission, the API returns 401:
'The models permission is required to access this endpoint'

Fixes GitHub Models authentication in analyze_codex_session step.
Copilot AI review requested due to automatic review settings January 2, 2026 23:31
@chatgpt-codex-connector
Copy link
Copy Markdown

chatgpt-codex-connector bot commented Jan 2, 2026

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

@stranske stranske temporarily deployed to agent-high-privilege January 2, 2026 23:32 — with GitHub Actions Inactive
@stranske
docs: add LangChain LLM task analysis documentation
eb2bfeb 
Comprehensive documentation covering:
- Provider chain architecture (GitHub Models → OpenAI → Regex)
- Workflow integration and outputs
- Configuration and permissions
- CLI usage and output format
- Troubleshooting guide
- Development history
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 2, 2026
edited
Loading

Automated Status Summary

Head SHA: 3cff333
Latest Runs: ⏳ pending — Gate
Required contexts: Gate / gate, Health 45 Agents Guard / Enforce agents workflow protections
Required: core tests (3.11): ⏳ pending, core tests (3.12): ⏳ pending, docker smoke: ⏳ pending, gate: ⏳ pending

Workflow / Job Result Logs
(no jobs reported) ⏳ pending

Coverage Overview

  • Coverage history entries: 1

Coverage Trend

Metric Value
Current 92.21%
Baseline 85.00%
Delta +7.21%
Minimum 70.00%
Status ✅ Pass

Top Coverage Hotspots (lowest coverage)

File Coverage Missing
scripts/workflow_health_check.py 62.6% 28
scripts/classify_test_failures.py 62.9% 37
scripts/ledger_validate.py 65.3% 63
scripts/mypy_return_autofix.py 82.6% 11
scripts/ledger_migrate_base.py 85.5% 13
scripts/fix_cosmetic_aggregate.py 92.3% 1
scripts/coverage_history_append.py 92.8% 2
scripts/workflow_validator.py 93.3% 4
scripts/update_autofix_expectations.py 93.9% 1
scripts/pr_metrics_tracker.py 95.7% 3
scripts/generate_residual_trend.py 96.6% 1
scripts/build_autofix_pr_comment.py 97.0% 2
scripts/aggregate_agent_metrics.py 97.2% 0
scripts/fix_numpy_asserts.py 98.1% 0
scripts/sync_test_dependencies.py 98.3% 1

Updated automatically; will refresh on subsequent CI/Docker completions.

Keepalive checklist

Scope

  • After merging PR chore(codex): bootstrap PR for issue #101 #103 (multi-agent routing infrastructure), we need to:
  • 1. Validate the CLI agent pipeline works end-to-end with the new task-focused prompts
  • 2. Add GITHUB_STEP_SUMMARY output so iteration results are visible in the Actions UI
  • 3. Streamline the Automated Status Summary to reduce clutter when using CLI agents
  • 4. Clean up comment patterns to avoid a mix of old UI-agent and new CLI-agent comments

Tasks

  • ### Pipeline Validation
  • After PR chore(codex): bootstrap PR for issue #101 #103 merges, create a test PR with agent:codex label
  • Verify task appendix appears in Codex prompt (check workflow logs)
  • Verify Codex works on actual tasks (not random infrastructure work)
  • Verify keepalive comment updates with iteration progress
  • ### GITHUB_STEP_SUMMARY
  • Add step summary output to agents-keepalive-loop.yml after agent run
  • Include: iteration number, tasks completed, files changed, outcome
  • Ensure summary is visible in workflow run UI
  • ### Conditional Status Summary
  • Modify buildStatusBlock() in agents_pr_meta_update_body.js to accept agentType parameter
  • When agentType is set (CLI agent): hide workflow table, hide head SHA/required checks
  • Keep Scope/Tasks/Acceptance checkboxes for all cases
  • Pass agent type from workflow to the update_body job
  • ### Comment Pattern Cleanup
  • For CLI agents (agent:* label):
  • Suppress <!-- gate-summary: --> comment posting (use step summary instead)
  • Suppress <!-- keepalive-round: N --> instruction comments (task appendix replaces this)
  • Update <!-- keepalive-loop-summary --> to be the single source of truth
  • Ensure state marker is embedded in the summary comment (not separate)
  • For UI Codex (no agent:* label):
  • Keep existing comment patterns (instruction comments, connector bot reports)
  • Keep <!-- gate-summary: --> comment
  • Add agent_type output to detect job so downstream workflows know the mode
  • Update agents-pr-meta.yml to conditionally skip gate summary for CLI agent PRs

Acceptance criteria

  • CLI agent receives explicit tasks in prompt and works on them
  • Iteration results visible in Actions workflow run summary
  • PR body shows checkboxes but not workflow clutter when using CLI agents
  • UI Codex path (no agent label) continues to show full status summary
  • CLI agent PRs have ≤3 bot comments total (summary, one per iteration update) instead of 10+
  • State tracking is consolidated in the summary comment, not scattered
  • ## Dependencies
  • - Requires PR chore(codex): bootstrap PR for issue #101 #103 to be merged first
  • [ ]

@stranske stranske temporarily deployed to agent-high-privilege January 2, 2026 23:33 — with GitHub Actions Inactive
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 2, 2026
edited
Loading

🤖 Keepalive Loop Status

PR #463 | Agent: Codex | Iteration 0/5

Current State

Metric Value
Iteration progress [----------] 0/5
Action wait (missing-agent-label)
Disposition skipped (transient)
Gate success
Tasks 0/71 complete
Keepalive ❌ disabled
Autofix ❌ disabled

🔍 Failure Classification

| Error type | infrastructure |
| Error category | resource |
| Suggested recovery | Confirm the referenced resource exists (repo, PR, branch, workflow, or file). |

Copilot AI reviewed Jan 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds the models: read permission to the reusable Codex workflow to enable access to GitHub Models API. The LLM provider chain (introduced in PR #459) uses GitHub Models as the primary AI provider for task completion analysis, which requires this permission to avoid 401 errors when calling the API endpoint.

Key changes:

  • Added models: read permission to the workflow's permissions block

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/reusable-codex-run.yml
contents: write
pull-requests: write
actions: write
models: read
Copy link

Copilot AI Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The permission is added without an inline comment explaining its purpose. According to the PR description, the solution includes a comment "# For GitHub Models AI inference". Adding this comment would improve maintainability by clarifying why this permission is needed, especially since the other permissions don't have comments.

Suggested change
models: read
models: read # For GitHub Models AI inference

Copilot uses AI. Check for mistakes.
@stranske
ci: add models permission to actionlint allowlist
0012c71 
actionlint 1.7.3 doesn't recognize the 'models' permission scope
which is a newer GitHub feature for GitHub Models API access.

Add ignore pattern to suppress this false positive.
@stranske stranske temporarily deployed to agent-high-privilege January 2, 2026 23:34 — with GitHub Actions Inactive
@stranske stranske merged commit 79381d2 into main Jan 2, 2026
107 checks passed
@stranske stranske deleted the fix/models-permission branch January 2, 2026 23:36
@github-actions github-actions bot mentioned this pull request Jan 2, 2026
Closed
24 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stranske