From 7520561423cbb7d2b62f1fa6c2bd5eb78e42cd19 Mon Sep 17 00:00:00 2001
From: Salman Muin Kayser Chishti <salmanmkc@github.com>
Date: Fri, 10 Apr 2026 23:26:45 +0100
Subject: [PATCH] Add workflows permission to schema

Add 'workflows' as a valid permission scope in the permissions-mapping
schema. The workflows permission supports only 'write' (or none),
matching the GitHub App permissions model where workflows: write
allows updating GitHub Actions workflow files.

This enables autocomplete and validation for 'permissions: workflows:'
in workflow YAML files.
---
 languageservice/src/complete.test.ts   | 39 ++++++++++++++++++++++++++
 workflow-parser/src/workflow-v1.0.json |  4 +++
 2 files changed, 43 insertions(+)

diff --git a/languageservice/src/complete.test.ts b/languageservice/src/complete.test.ts
index fcdf659d..0287f3a2 100644
--- a/languageservice/src/complete.test.ts
+++ b/languageservice/src/complete.test.ts
@@ -1016,6 +1016,45 @@ jobs:
   });
 });
 
+describe("permissions workflows completion", () => {
+  it("includes workflows in top-level permissions", async () => {
+    const input = `on: push
+permissions:
+  |`;
+    const result = await complete(...getPositionFromCursor(input));
+
+    expect(result).not.toBeUndefined();
+    const labels = result.map(x => x.label);
+    expect(labels).toContain("workflows");
+  });
+
+  it("offers only write and none for workflows", async () => {
+    const input = `on: push
+permissions:
+  workflows: |`;
+    const result = await complete(...getPositionFromCursor(input));
+
+    expect(result).not.toBeUndefined();
+    const labels = result.map(x => x.label);
+    expect(labels).toContain("write");
+    expect(labels).not.toContain("read");
+  });
+
+  it("includes workflows in job-level permissions", async () => {
+    const input = `on: push
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      |`;
+    const result = await complete(...getPositionFromCursor(input));
+
+    expect(result).not.toBeUndefined();
+    const labels = result.map(x => x.label);
+    expect(labels).toContain("workflows");
+  });
+});
+
 describe("service container command/entrypoint completion", () => {
   it("suggests entrypoint and command in service container", async () => {
     const input = `on: push
diff --git a/workflow-parser/src/workflow-v1.0.json b/workflow-parser/src/workflow-v1.0.json
index f514407f..5989e130 100644
--- a/workflow-parser/src/workflow-v1.0.json
+++ b/workflow-parser/src/workflow-v1.0.json
@@ -1649,6 +1649,10 @@
           "statuses": {
             "type": "permission-level-any",
             "description": "Commit statuses."
+          },
+          "workflows": {
+            "type": "permission-level-write-or-no-access",
+            "description": "Update GitHub Actions workflow files."
           }
         }
       }