mirror of
https://github.com/pewdiepie-archdaemon/odysseus.git
synced 2026-06-20 03:35:35 -04:00
fix(ci): restore pull-requests:write for PR label/comment writes (#3367)
#3336 reduced the PR-checks workflow to pull-requests:read on the assumption that PR labels/comments only need issues:write (the REST path is /issues/{n}/...). They do not: modifying a pull request's labels or comments requires the pull-requests scope, so issues:write alone returns 403 and crashed the description check on every PR. Restore pull-requests:write, and fail soft in swapLabel so a label-permission error can never mask the description verdict.
This commit is contained in:
Kenny Van de Maele
committed by
GitHub
GitHub
parent
c46ea44f43
commit
3557a3f495
@@ -7,12 +7,14 @@ on:
|
||||
# pull_request_target runs in the base-repo context (has secrets).
|
||||
# The checkout below pins to the base branch so no fork code is executed.
|
||||
# The script only reads context.payload and calls the GitHub API.
|
||||
# Least privilege: contents:read for the base-ref checkout, pull-requests:read
|
||||
# for pulls.get (mergeability), issues:write for label + comment management
|
||||
# (PR labels and comments both go through the issues API).
|
||||
# Least privilege: contents:read for the base-ref checkout, pull-requests:write
|
||||
# to add/remove labels and post comments on PRs, and issues:write for the same
|
||||
# on real issues. NOTE: modifying a *pull request's* labels/comments needs the
|
||||
# `pull-requests` scope even though the REST path is under `/issues/{n}/...`;
|
||||
# `issues:write` alone returns 403 on PRs.
|
||||
permissions:
|
||||
contents: read
|
||||
pull-requests: read
|
||||
pull-requests: write
|
||||
issues: write
|
||||
|
||||
jobs:
|
||||
|
||||
Reference in New Issue
Block a user