Add workflows permission scope to WorkflowParser

src/Sdk/WorkflowParser/Conversion/WorkflowTemplateConverter.cs

@@ -1957,6 +1957,24 @@ private static Permissions ConvertToPermissions(TemplateContext context, Templat
                             context.Error(key, $"The permission 'models' is not allowed");
                         }
                         break;
+                    case "workflows":
+                        if (context.GetFeatures().AllowWorkflowsPermission)
+                        {
+                            // Workflows only supports write; downgrade read to none
+                            if (permissionLevel == PermissionLevel.Read)
+                            {
+                                permissions.Workflows = PermissionLevel.NoAccess;
+                            }
+                            else
+                            {
+                                permissions.Workflows = permissionLevel;
+                            }
+                        }
+                        else
+                        {
+                            context.Error(key, $"The permission 'workflows' is not allowed");
+                        }
+                        break;
                     default:
                         break;
                 }

src/Sdk/WorkflowParser/Permissions.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Collections.Generic;
 using System.Runtime.Serialization;
 using GitHub.Actions.WorkflowParser.Conversion;
@@ -17,7 +17,7 @@ public Permissions()
         public Permissions(Permissions copy)
         {
             Actions = copy.Actions;
-			ArtifactMetadata = copy.ArtifactMetadata;
+            ArtifactMetadata = copy.ArtifactMetadata;
             Attestations = copy.Attestations;
             Checks = copy.Checks;
             Contents = copy.Contents;
@@ -32,6 +32,7 @@ public Permissions(Permissions copy)
             SecurityEvents = copy.SecurityEvents;
             IdToken = copy.IdToken;
             Models = copy.Models;
+            Workflows = copy.Workflows;
         }
 
         public Permissions(
@@ -41,7 +42,7 @@ public Permissions(
             bool includeModels)
         {
             Actions = permissionLevel;
-			ArtifactMetadata = permissionLevel;
+            ArtifactMetadata = permissionLevel;
             Attestations = includeAttestations ? permissionLevel : PermissionLevel.NoAccess;
             Checks = permissionLevel;
             Contents = permissionLevel;
@@ -56,9 +57,11 @@ public Permissions(
             SecurityEvents = permissionLevel;
             IdToken = includeIdToken ? permissionLevel : PermissionLevel.NoAccess;
             // Models must not have higher permissions than Read
-            Models = includeModels 
-                ? (permissionLevel == PermissionLevel.Write ? PermissionLevel.Read : permissionLevel) 
+            Models = includeModels
+                ? (permissionLevel == PermissionLevel.Write ? PermissionLevel.Read : permissionLevel)
                 : PermissionLevel.NoAccess;
+            // Workflows is excluded from write-all / read-all; must be explicitly requested
+            Workflows = PermissionLevel.NoAccess;
         }
 
         private static KeyValuePair<string, (PermissionLevel, PermissionLevel)>[] ComparisonKeyMapping(Permissions left, Permissions right)
@@ -81,6 +84,7 @@ public Permissions(
                 new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("security-events", (left.SecurityEvents, right.SecurityEvents)),
                 new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("id-token", (left.IdToken, right.IdToken)),
                 new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("models", (left.Models, right.Models)),
+                new KeyValuePair<string, (PermissionLevel, PermissionLevel)>("workflows", (left.Workflows, right.Workflows)),
             };
         }
 
@@ -196,6 +200,13 @@ public PermissionLevel Statuses
             set;
         }
 
+        [DataMember(Name = "workflows", EmitDefaultValue = false)]
+        public PermissionLevel Workflows
+        {
+            get;
+            set;
+        }
+
         public Permissions Clone()
         {
             return new Permissions(this);

src/Sdk/WorkflowParser/WorkflowFeatures.cs

@@ -1,4 +1,4 @@
-using System;
+using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Reflection;
@@ -41,6 +41,13 @@ public class WorkflowFeatures
         [DataMember(EmitDefaultValue = false)]
         public bool AllowModelsPermission { get; set; }
 
+        /// <summary>
+        /// Gets or sets a value indicating whether users may use the "workflows" permission.
+        /// Used during parsing only.
+        /// </summary>
+        [DataMember(EmitDefaultValue = false)]
+        public bool AllowWorkflowsPermission { get; set; }
+
         /// <summary>
         /// Gets or sets a value indicating whether the expression function fromJson performs strict JSON parsing.
         /// Used during evaluation only.
@@ -67,6 +74,7 @@ public static WorkflowFeatures GetDefaults()
                 Snapshot = false,           // Default to false since this feature is still in an experimental phase
                 StrictJsonParsing = false,  // Default to false since this is temporary for telemetry purposes only
                 AllowModelsPermission = false, // Default to false since we want this to be disabled for all non-production environments
+                AllowWorkflowsPermission = false, // Default to false; gated by feature flag for controlled rollout
                 AllowServiceContainerCommand = false, // Default to false since this feature is gated by actions_service_container_command
             };
         }