Fix smoke-trigger.yml startup_failure and missing secrets for workflow_call

[Copilot]

smoke-trigger.yml was failing with startup_failure before any jobs ran because the caller job granted fewer permissions than the callee's jobs required, and secrets were not being passed through to the called workflow.

Error 1 — Startup failure (permissions):

Error calling workflow 'smoke-workflow-call.lock.yml':
  The nested job 'conclusion' is requesting 'discussions: write, issues: write',
  but is only allowed 'discussions: none, issues: none'.
  The nested job 'safe_outputs' is requesting 'discussions: write, issues: write',
  but is only allowed 'discussions: none, issues: none'.

Error 2 — Missing secrets:

Error: None of the following secrets are set: COPILOT_GITHUB_TOKEN

Secrets are not automatically inherited in workflow_call contexts without secrets: inherit.

Fixes in smoke-trigger.yml:

uses: ./.github/workflows/smoke-workflow-call.lock.yml
secrets: inherit        # added — passes secrets to called workflow
permissions:
  contents: read
  discussions: write    # added
  issues: write         # added
  pull-requests: write

Warning

Custom agent used: ci-cleaner
Tidies up the repository CI state by formatting sources, running linters, fixing issues, running tests, and recompiling workflows

Original prompt

Debug https://github.com/github/gh-aw/actions/workflows/smoke-trigger.yml

Custom agent used: ci-cleaner
Tidies up the repository CI state by formatting sources, running linters, fixing issues, running tests, and recompiling workflows

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

Fixes a GitHub Actions startup_failure in smoke-trigger.yml by ensuring the caller workflow grants sufficient GITHUB_TOKEN permissions to match the requirements of the reusable workflow invoked via workflow_call.

Changes:

• Added discussions: write and issues: write to the caller job permissions in .github/workflows/smoke-trigger.yml to satisfy the callee jobs’ required permissions.
• Prevents parse-time validation failure when invoking ./.github/workflows/smoke-workflow-call.lock.yml.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pelikhan]

@copilot check this failure https://github.com/github/gh-aw/actions/runs/22474121639

[Copilot]

@copilot check this failure https://github.com/github/gh-aw/actions/runs/22474121639

The permissions fix resolved the startup_failure, but the workflow then failed at the activation job because COPILOT_GITHUB_TOKEN was empty — secrets are not automatically inherited when using workflow_call.

Fixed in c111c0c by adding secrets: inherit to the caller job in smoke-trigger.yml. This ensures all secrets (including COPILOT_GITHUB_TOKEN) are passed through to the called workflow.