`gh pr edit` `--add-label` to PR requires write permission to both issues and pull-requests

[mback2k]

Not sure if this is the best place to post this issue, it may also be a lack of documentation for the GitHub API or CLI.

Describe the bug

gh pr edit --add-label to PR requires write permission to both issues and pull-requests.

1. Expected failure without any write permission:
   https://github.com/curl/curl/runs/4021004943?check_suite_focus=true#step:5:13

2. Unexpected silent failure with write permission to pull-requests, but missing write permission to issues:
   https://github.com/curl/curl/runs/4021113193?check_suite_focus=true#step:5:17
   (mentioned PRs did not get the label via GitHub Actions bot, but it was then later manually added by myself)

3. Surprising success with both write permissions for pull-requests and issues:
   https://github.com/curl/curl/runs/4027534500?check_suite_focus=true#step:5:13
   (mentioned PR did get the label via GitHub Actions bot)

Local version affected in addition to the version inside the ubuntu-latest GitHub Action image:

gh version 2.2.0 (2021-10-25)
https://github.com/cli/cli/releases/tag/v2.2.0

Steps to reproduce the behavior

Repeat the following steps with the different set of workflow permissions mentioned above:

1. Add hacktoberfest label to a test repository (can also replace hacktoberfest with hacktobertest or some other test label to avoid actual participation).
2. Copy this workflow into the test repository (adapt workflow to test label for both the repository and pull-requests if changed in previous step).
3. Make sure the workflow is present on the default branch on GitHub (adapt workflow to run on pushes to default branch if needed).
4. Open a new pull-request to the test repository.
5. Mention the pull-request with a "Closes #prnum" reference on the default branch.

Expected vs actual behavior

I would have expected this to work with just the write permission for pull-requests since a PR is the target of the edit.

Logs

See links to check logs mentioned above.

[vilmibm]

Hi,

as far as I can tell this is intended (albeit confusing and frustrating) behavior of the GitHub platform compounded by the fact that, by default, the token used by GitHub Actions is limited in scope.

I do see one thing that is under our control in the CLI though which is that strange silent failure you experienced when you were missing the issues scope.

Are you comfortable with us renaming and refocusing this issue to be about investigating and fixing that silent failure?

[mback2k]

Sure. An error message would be highly appreciated in the currently silent case. It took me quite some time to identify the root cause.

[mislav]

Thanks for reporting! My hunch was that without the issue write permissions, the list of labels was silently discarded on the platform.

I've confirmed that by trying out this mutation with only pull-request write permission but no issue:

mutation {
    updatePullRequest(input: {
        pullRequestId: "MDExOlB1bGxSZXF1ZXN0NjAwNTkxOTk2"
        labelIds: ["MDU6TGFiZWwxNDk1ODM2ODE=", "MDU6TGFiZWwxNDk1ODM2ODQ="]
    }) {
        __typename
    }
}

The operation "succeeds" but the labels were never applied to my PR. I will report this on the platform side.

[mback2k]

Thanks, I guess you may also wanna test it the other way around for labels on issues.