`checkWritePermissions` fails with 404 for non-user actors like `Copilot`

[goodtune]

Describe the bug

checkWritePermissions() in src/github/validation/permissions.ts calls octokit.repos.getCollaboratorPermissionLevel() with github.actor as the username. When the actor is Copilot (from a Copilot-initiated pull_request_review), this API call returns 404 because Copilot is not a regular GitHub user.

The function has a bypass for actors ending in [bot] (line 47), but Copilot doesn't match that pattern.

To Reproduce

1. Configure anthropics/claude-code-action@v1 on a pull_request_review workflow
2. Pass a github_token input (to bypass OIDC exchange — see OIDC token exchange fails with 401 when github.actor is Copilot #1017)
3. Have GitHub Copilot submit a review, triggering the workflow with github.actor = "Copilot"
4. The checkWritePermissions call fails with 404

Error Log

Using provided GITHUB_TOKEN for authentication
Checking permissions for actor: Copilot
GET /repos/goodtune/ghp/collaborators/Copilot/permission - 404 with id AC45:74D71:1143342:4A95233:69A9F64B in 157ms
##[error]Failed to check permissions: HttpError: Copilot is not a user - https://docs.github.com/rest/collaborators/collaborators#get-repository-permissions-for-a-user
##[error]Action failed with error: Failed to check permissions for Copilot: HttpError: Copilot is not a user - https://docs.github.com/rest/collaborators/collaborators#get-repository-permissions-for-a-user

• Failing run: https://github.com/goodtune/ghp/actions/runs/22737527586/job/65943266000

Root Cause

In src/github/validation/permissions.ts, the bot bypass only checks for [bot] suffix:

// Line 47-50
if (actor.endsWith("[bot]")) {
  core.info(`Actor is a GitHub App: ${actor}`);
  return true;
}

Copilot is a non-user actor that doesn't follow the [bot] naming convention, so it falls through to the API call which 404s.

Suggested Fix

Catch 404 errors from the collaborator permission API and check whether the actor is a known non-user entity, or fall back to checking triggering_actor permissions instead.

A simpler approach: wrap the API call in error handling that recognises "not a user" 404s and consults allowed_bots before throwing.

Related Issues

• OIDC token exchange fails with 401 when github.actor is Copilot #1017 — Server-side OIDC token exchange also fails for Copilot actor (precedes this check)
• Title: Support for GitHub Copilot-created Pull Requests #903 — Same Copilot actor problem, reported against checkHumanActor
• checkHumanActor fails with 404 for bot actors before checking allowed_bots configuration #900 — Similar 404 in checkHumanActor for bot actors in scheduled workflows

API Provider

• Anthropic First-Party API (default)

[goodtune]

Relationship to existing issues

• OIDC token exchange fails with 401 when github.actor is Copilot #1017 — Filed alongside this issue. Covers the server-side OIDC token exchange failure for Copilot actor, which occurs before this client-side checkWritePermissions() check.

• Title: Support for GitHub Copilot-created Pull Requests #903 — Same Copilot actor problem, but reports a 404 in checkHumanActor() rather than checkWritePermissions(). Both are client-side validation failures caused by Copilot not being a regular GitHub user.

• checkHumanActor fails with 404 for bot actors before checking allowed_bots configuration #900 — Similar 404 in checkHumanActor() for github-merge-queue[bot] in scheduled workflows. The proposed fix (check allowed_bots before making the API call) would help for checkHumanActor but doesn't address checkWritePermissions.

• If pr-review mode, skip check if the actor has write permissions to the repository #93 — Earlier proposal to skip permission checks in review mode, closed as wontfix.

[goodtune]

Note: even after working around this with allowed_non_write_users: "Copilot", the next step (checkHumanActor) also 404s on the Copilot actor before checking allowed_bots. That's #900, and PR #916 has a fix awaiting review.

The full chain of blockers for Copilot-triggered reviews is documented in #1017.