fix(ci): grant pull-requests:write so advisor can post PR comments

[jyaunches]

Summary

Adds pull-requests: write to the e2e-advisor workflow so the advisor can actually post its recommendation comment on PRs.

What's broken on main today

Since PR #3289 merged ~2 hours ago, the advisor workflow has been running successfully on same-repo PRs — but the Post E2E advisor PR comment step silently skips every time:

403 {"message":"Resource not accessible by integration"}

Concrete evidence on PR #3364:

Run	Job	Comment posted?
25697796461	✅ success	❌ no
25699366979	✅ success	❌ no

The runs look green because comment.mjs catches the 403 as a permission error (a defensive path added during the #3289 review) and keeps the job passing, but the user-visible artifact — the comment on the PR — never materializes.

Root cause

The permissions: block on main currently declares:

permissions:
  contents: read
  pull-requests: read
  issues: write

The token effective permissions confirm this takes effect (from the Set up job log group):

GITHUB_TOKEN Permissions
  Contents: read
  Issues: write
  Metadata: read
  PullRequests: read

Even so, POST /repos/NVIDIA/NemoClaw/issues/3364/comments returns 403 Resource not accessible by integration.

The reason is a well-documented GitHub Actions permission-name trap: for GITHUB_TOKEN, PR comments are gated by pull-requests: write, not issues: write — even though the REST endpoint lives under /issues/:n/comments. The issues permission only applies to true issues; PRs fall under pull-requests. This is tracked in community discussion #56632 and has bitten many workflows.

Fix

Flip pull-requests from read to write, and drop an inline comment on the permissions block so the next reviewer doesn't have to rediscover this.

issues: write is kept for now — it's unused on the PR-comment path but it's dirt-cheap to leave in case we ever want the advisor to post on true issues.

Defense in depth

The graceful permission-error handling in tools/e2e-advisor/comment.mjs (added in #3289 per @ericksoa's review) stays in place unchanged. This PR just ensures that for a correctly-configured repo the 403 path is no longer hit on normal same-repo PRs.

Testing

• python3 -c "import yaml; yaml.safe_load(open('.github/workflows/e2e-advisor.yaml'))" — workflow still parses.
• Non-code change, so local unit tests are unaffected.
• The real verification is the next same-repo PR after merge — expected behavior is an advisor comment appearing within a few minutes.

Out of scope for this PR

There's a second gap visible on upstream: PI_E2E_ADVISOR_API_KEY is not set on NVIDIA/NemoClaw, so the analysis step currently degrades to:

Skipped: No Pi provider credential was available in this workflow environment

That's an admin configuration task (Settings → Secrets and variables → Actions → New repository secret), not a code change, so handling it separately.

Related

• PR ci: add E2E Advisor recommendations #3289 (merged): introduced the advisor + the trust-boundary restructure.
• Observed on PR test(openclaw): add TUI chat correlation regression #3364 (same-repo, member-authored, fresh push — exactly the case the advisor is designed for).

Summary by CodeRabbit

• Chores
  • Updated pull request workflow permissions to enable advisor to post and update comments on pull requests.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 86c5979e-59d9-4ce8-a032-3ff9e8840a0e

📥 Commits

Reviewing files that changed from the base of the PR and between 32cab9d and 33bbe89.

📒 Files selected for processing (1)

• .github/workflows/e2e-advisor.yaml

---

📝 Walkthrough

Walkthrough

The PR updates the GitHub Actions e2e-advisor workflow to grant pull-requests: write permission instead of pull-requests: read, enabling the advisor to post and update PR comments. Explanatory comments document the permission scope requirement.

Changes

Workflow Permissions Update

Layer / File(s)	Summary
Workflow Permissions Configuration .github/workflows/e2e-advisor.yaml	pull-requests permission changed from read to write to enable PR comment posting and updates. Documentation comments explain the permission requirement. issues: write remains unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~5 minutes

Poem

A workflow tweak, both small and bright,
From read to write, the perms take flight,
Now advisors hop through PRs with cheer, 🐰✨
Posting comments without fear.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: granting pull-requests:write permission to the advisor workflow so it can post PR comments, which directly addresses the core issue in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}