[plan] Fix create-agent-session to use github.token when copilot-requests feature is enabled

[github-actions]

Objective

Fix the create-agent-session safe output so that when features: copilot-requests: true is set in a workflow, it uses ${{ github.token }} instead of ${{ secrets.COPILOT_GITHUB_TOKEN }}. Also ensure the safe-outputs job receives copilot-requests: write permission in that case.

Context

Ref: #24920 (Problem 1)

The intent of features: copilot-requests: true is to eliminate the need for the COPILOT_GITHUB_TOKEN PAT. However, create-agent-session currently always uses secrets.COPILOT_GITHUB_TOKEN regardless of the feature flag, causing runtime failures when users omit the secret.

Additionally, the safe-outputs job is missing copilot-requests: write permission even when the feature flag is active, so even a correct token substitution would still fail.

Files to Modify

• pkg/workflow/github_token.go — extend getEffectiveCopilotRequestsToken() to accept (or check) the copilot-requests feature flag and substitute ${{ github.token }} when it is active
• pkg/workflow/safe_outputs_permissions.go — in ComputePermissionsForSafeOutputs(), merge copilot-requests: write into the job permissions when copilot-requests feature flag is active and create-agent-session is present
• pkg/workflow/compiler_safe_outputs_specialized.go — update buildCreateAgentSessionStepConfig() to accept and forward a useCopilotRequests bool parameter so the corrected token logic is used

Approach

1. In github_token.go, add a fallback in the token chain so that when the copilot-requests feature flag is true, ${{ github.token }} is returned instead of secrets.COPILOT_GITHUB_TOKEN
2. In safe_outputs_permissions.go, check for the copilot-requests feature flag and add copilot-requests: write to safe-outputs job permissions when the flag is set and the create-agent-session output is configured
3. In compiler_safe_outputs_specialized.go, thread the useCopilotRequests flag through buildCreateAgentSessionStepConfig() so the correct token expression is used in the compiled YAML

Acceptance Criteria

• When features: copilot-requests: true is set, compiled create-agent-session step uses ${{ github.token }} not ${{ secrets.COPILOT_GITHUB_TOKEN }}
• Safe-outputs job permissions include copilot-requests: write when the feature is active and create-agent-session is present
• When the feature flag is absent/false, existing behavior is preserved (still uses secrets.COPILOT_GITHUB_TOKEN)
• Unit tests cover both code paths (flag on / flag off)
• make agent-finish passes
  Related to Bugfix: GitHub Token S2S TTL and Actions Timeouts #24920

Generated by Plan Command for issue #24920 · ● 142.2K · ◷

• expires on Apr 8, 2026, 4:24 PM UTC

[github-actions]

🍪 Issue Monster has assigned this to Copilot!

I've identified this issue as a good candidate for automated resolution and assigned it to the Copilot coding agent.

The Copilot coding agent will analyze the issue and create a pull request with the fix.

Om nom nom! 🍪

🍪 Om nom nom by Issue Monster · ● 396.3K · ◷

[github-actions]

This issue was automatically closed because it expired on 2026-04-08T16:24:58.044Z.

Closed by Workflow