Skip to content

fix(ci): grant issues: write so the approval label step can run#12464

Merged
zkochan merged 1 commit into
mainfrom
fix-label-permissions
Jun 17, 2026
Merged

fix(ci): grant issues: write so the approval label step can run#12464
zkochan merged 1 commit into
mainfrom
fix-label-permissions

Conversation

@zkochan

@zkochan zkochan commented Jun 17, 2026

Copy link
Copy Markdown
Member

Follow-up fix to the PR review automation merged in #12462.

The workflow fails at runtime on the label step:

GraphQL: Resource not accessible by integration (addLabelsToLabelable)
Error: Process completed with exit code 1.

Cause: gh pr edit --add-label doesn't use the REST labels endpoint — it goes through the GraphQL addLabelsToLabelable mutation, which is governed by issues: write even when the target is a PR. The merged workflow granted only pull-requests: write, so the mutation is rejected.

(The issues: write fix was committed to the original branch after #12462 had already merged, so it never landed — hence this separate PR.)

Fix: grant issues: write alongside pull-requests: write on each job. It stays job-scoped (not workflow-wide), so it remains least-privilege, and it matches the existing pattern in pacquet-integrated-benchmark-comment.yml.


Written by an agent (Claude Code, claude-opus-4-8).

Summary by CodeRabbit

  • Chores
    • Updated GitHub Actions workflow permissions to improve automation reliability.

The pr-review-automation workflow merged in #12462 fails at the
label step with 'Resource not accessible by integration
(addLabelsToLabelable)'. gh pr edit --add-label uses the GraphQL
addLabelsToLabelable mutation, which requires issues: write even when
labeling a PR; pull-requests: write alone is insufficient. Grant it per
job, matching pacquet-integrated-benchmark-comment.yml.
@qodo-free-for-open-source-projects

qodo-free-for-open-source-projects Bot commented Jun 17, 2026

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Grey Divider

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

Grey Divider

Qodo Logo

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: cf469afe-9d5d-4b30-a136-b5720ada45bd

📥 Commits

Reviewing files that changed from the base of the PR and between 5c12968 and 9d73d49.

📒 Files selected for processing (1)
  • .github/workflows/pr-review-automation.yml

📝 Walkthrough

Walkthrough

Two GitHub Actions jobs (on-coderabbit-approval and on-maintainer-approval) in the PR review automation workflow each receive an explicit issues: write permission, alongside the existing pull-requests: write, with an inline comment attributing the requirement to the GraphQL addLabelsToLabelable mutation used by gh pr edit --add-label.

Changes

Workflow Permission Fix

Layer / File(s) Summary
Add issues: write to both approval jobs
.github/workflows/pr-review-automation.yml
Both on-coderabbit-approval and on-maintainer-approval jobs now declare issues: write in their permissions blocks, accompanied by a comment explaining that this is required for the addLabelsToLabelable GraphQL mutation invoked by gh pr edit --add-label.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

  • pnpm/pnpm#12462: Directly modifies the same .github/workflows/pr-review-automation.yml approval job permissions, making it the immediate predecessor to this change.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title follows Conventional Commits specification with 'fix:' prefix and clearly describes the change: granting issues:write permission to fix the approval label step in CI.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-label-permissions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

PR Summary by Qodo

Fix pr-review-automation label step by granting job-scoped issues: write
🐞 Bug fix ⚙️ Configuration changes 🕐 Less than 5 minutes

Grey Divider

Walkthroughs

Description
• Grant issues: write per job so gh pr edit --add-label can succeed.
• Document why labeling a PR requires the GraphQL addLabelsToLabelable permission.
• Keep permissions least-privilege by scoping to only the affected jobs.
Diagram
graph TD
  A["pr-review-automation.yml"] --> B["Review event job"] --> C["gh pr edit --add-label"] --> D{{"GitHub GraphQL"}} --> E["Apply label on PR"]
  A --> F["Maintainer review job"] --> C

  subgraph Legend
    direction LR
    _wf["Workflow/Job"] ~~~ _cli["CLI step"] ~~~ _ext{{"External API"}}
  end
Loading
High-Level Assessment

The chosen fix is the correct least-privilege approach: gh pr edit --add-label uses GraphQL’s addLabelsToLabelable, which is gated by issues: write even for PRs. Granting issues: write at the job level (not workflow-wide) directly addresses the runtime failure while keeping permissions scoped.

Grey Divider

File Changes

Other (1)
pr-review-automation.yml Add job-scoped issues: write permission for PR labeling +6/-0

Add job-scoped issues: write permission for PR labeling

• Adds 'issues: write' to each labeling job so 'gh pr edit --add-label' can execute the GraphQL 'addLabelsToLabelable' mutation successfully. Includes inline comments explaining why 'pull-requests: write' alone is insufficient.

.github/workflows/pr-review-automation.yml


Grey Divider

Qodo Logo

@qodo-free-for-open-source-projects

Copy link
Copy Markdown

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: TS CI / Success

Failed stage: Fail if any dependency failed or was cancelled [❌]

Failed test name: ""

Failure summary:

The action failed because a workflow step explicitly ran exit 1, which forces the shell
(/usr/bin/bash -e) to terminate with a non-zero status.
This caused the job step Run exit 1 to fail
with Process completed with exit code 1.

Relevant error logs:
1:  ##[group]Runner Image Provisioner
2:  Hosted Compute Agent
...

16:  Included Software: https://github.com/actions/runner-images/blob/ubuntu24/20260607.184/images/ubuntu/Ubuntu2404-Readme.md
17:  Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu24%2F20260607.184
18:  ##[endgroup]
19:  ##[group]GITHUB_TOKEN Permissions
20:  Contents: read
21:  Metadata: read
22:  ##[endgroup]
23:  Secret source: Actions
24:  Prepare workflow directory
25:  Prepare all required actions
26:  Complete job name: TS CI / Success
27:  ##[group]Run exit 1
28:  �[36;1mexit 1�[0m
29:  shell: /usr/bin/bash -e {0}
30:  ##[endgroup]
31:  ##[error]Process completed with exit code 1.
32:  Cleaning up orphan processes

@zkochan zkochan merged commit c7950e7 into main Jun 17, 2026
25 of 26 checks passed
@zkochan zkochan deleted the fix-label-permissions branch June 17, 2026 06:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant