[Safe Outputs Conformance] IMP-002: Permission computation function in wrong file — move to safe_outputs_permissions.go

[github-actions]

Conformance Check Failure

Check ID: IMP-002
Severity: HIGH
Category: Implementation

Problem Description

The conformance checker expects ComputePermissionsForSafeOutputs to live in a dedicated file pkg/workflow/safe_outputs_permissions.go, as specified in the Safe Outputs specification. The file does not exist — the function is currently defined in pkg/workflow/safe_outputs_jobs.go:196.

The Safe Outputs specification (docs/src/content/docs/reference/safe-outputs-specification.md, line 342) explicitly states:

Tool: computePermissionsForSafeOutputs() in pkg/workflow/safe_outputs_permissions.go

Without this dedicated file, the conformance checker (IMP-002) always fails, blocking CI green status.

Affected Components

• Current location: pkg/workflow/safe_outputs_jobs.go (function at line ~196)
• Required location: pkg/workflow/safe_outputs_permissions.go (does not exist)
• Test file: pkg/workflow/safe_outputs_permissions_test.go (already exists, references correct package)
• Conformance script: scripts/check-safe-outputs-conformance.sh

Current Behavior

ComputePermissionsForSafeOutputs and its helpers (e.g. permissionsForSafeOutputsFromTools) are defined inside safe_outputs_jobs.go, which also contains job compilation logic unrelated to permission computation.

Expected Behavior

Per the specification and conformance checker, ComputePermissionsForSafeOutputs must reside in pkg/workflow/safe_outputs_permissions.go. The existing test file safe_outputs_permissions_test.go already expects this layout.

Remediation Steps

This task is suitable for a Copilot coding agent:

1. Create pkg/workflow/safe_outputs_permissions.go with the correct package workflow header.
2. Move ComputePermissionsForSafeOutputs and all permission-related helpers (e.g. permissionsForSafeOutputsFromTools, any supporting constants/vars) from safe_outputs_jobs.go into the new file.
3. Remove those declarations from safe_outputs_jobs.go.
4. Ensure the package builds without errors (go build ./pkg/workflow/...).
5. Run existing tests to confirm nothing broke (go test ./pkg/workflow/...).

Verification

After remediation, run:

bash scripts/check-safe-outputs-conformance.sh

Check IMP-002 should now report [PASS] IMP-002: Permission computation function exists.

References

• Safe Outputs Specification: docs/src/content/docs/reference/safe-outputs-specification.md
• Conformance Checker: scripts/check-safe-outputs-conformance.sh
• Run ID: §22803073745
• Date: 2026-03-07

Generated by Daily Safe Outputs Conformance Checker · ◷

• expires on Mar 8, 2026, 4:54 PM UTC

[github-actions]

This issue is being closed as outdated. A newer issue has been created: #20090

View newer issue

---

This action was performed automatically by the Daily Safe Outputs Conformance Checker workflow.