fix(ci): grant issues: write so the approval label step can run#12464
Conversation
The pr-review-automation workflow merged in #12462 fails at the label step with 'Resource not accessible by integration (addLabelsToLabelable)'. gh pr edit --add-label uses the GraphQL addLabelsToLabelable mutation, which requires issues: write even when labeling a PR; pull-requests: write alone is insufficient. Grant it per job, matching pacquet-integrated-benchmark-comment.yml.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughTwo GitHub Actions jobs ( ChangesWorkflow Permission Fix
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
PR Summary by QodoFix pr-review-automation label step by granting job-scoped issues: write WalkthroughsDescription• Grant issues: write per job so gh pr edit --add-label can succeed. • Document why labeling a PR requires the GraphQL addLabelsToLabelable permission. • Keep permissions least-privilege by scoping to only the affected jobs. Diagramgraph TD
A["pr-review-automation.yml"] --> B["Review event job"] --> C["gh pr edit --add-label"] --> D{{"GitHub GraphQL"}} --> E["Apply label on PR"]
A --> F["Maintainer review job"] --> C
subgraph Legend
direction LR
_wf["Workflow/Job"] ~~~ _cli["CLI step"] ~~~ _ext{{"External API"}}
end
High-Level AssessmentThe chosen fix is the correct least-privilege approach: File ChangesOther (1)
|
CI Feedback 🧐A test triggered by this PR failed. Here is an AI-generated analysis of the failure:
|
Follow-up fix to the PR review automation merged in #12462.
The workflow fails at runtime on the label step:
Cause:
gh pr edit --add-labeldoesn't use the REST labels endpoint — it goes through the GraphQLaddLabelsToLabelablemutation, which is governed byissues: writeeven when the target is a PR. The merged workflow granted onlypull-requests: write, so the mutation is rejected.(The
issues: writefix was committed to the original branch after #12462 had already merged, so it never landed — hence this separate PR.)Fix: grant
issues: writealongsidepull-requests: writeon each job. It stays job-scoped (not workflow-wide), so it remains least-privilege, and it matches the existing pattern inpacquet-integrated-benchmark-comment.yml.Written by an agent (Claude Code, claude-opus-4-8).
Summary by CodeRabbit