Skip to content

Add permissions block to pr-checks workflow #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Copilot wants to merge 3 commits into from
Closed

Add permissions block to pr-checks workflow #43

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cca6ba7
Initial plan
Copilot Feb 9, 2026
f4fb1d5
fix: add permissions block to pr-checks.yml for PR commenting
Copilot Feb 9, 2026
e4820f9
Update .github/workflows/pr-checks.yml
groupthinking Feb 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/pr-checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,9 @@ name: PR Checks
on:
pull_request:
types: [opened, reopened, synchronize, edited]
permissions:
pull-requests: read
Copy link

Copilot AI Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description states that pull-requests: write is needed to allow github.rest.issues.createComment() to comment on PRs, but the implementation sets pull-requests: read instead. This will not grant sufficient permissions to create comments on pull requests. The workflow will continue to fail with "Resource not accessible by integration" error. Change this to pull-requests: write as described in the PR.

Copilot uses AI. Check for mistakes.
issues: write
jobs:
validate:
runs-on: ubuntu-latest
Comment on lines +6 to 10
Copy link

@sentry sentry bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The pr-checks.yml workflow has insufficient permissions. It uses pull-requests: read but needs pull-requests: write to post comments on pull requests via github.rest.issues.createComment().
Severity: CRITICAL

Suggested Fix

In the pr-checks.yml workflow file, change the permissions block for the pr-checks job. Update pull-requests: read to pull-requests: write to grant the necessary permissions for creating comments on pull requests.

Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/pr-checks.yml#L6-L10

Potential issue: The `pr-checks.yml` workflow is configured with `pull-requests: read`
permission. However, the workflow attempts to post a comment on a pull request using
`github.rest.issues.createComment()`. This API call requires `pull-requests: write`
permission to operate on pull requests. With only read access, the call will fail,
raising a "Resource not accessible by integration" error. This prevents the workflow
from successfully posting validation results as a PR comment, causing a runtime failure.

Did we get this right? 👍 / 👎 to inform future reviews.

Expand Down