fix: use permissions: write in bonk instead of CODEOWNERS

[mvvmm]

Summary

The bonk-auto-review job was failing with exit code 1 for contributors who are codeowners via team membership (e.g. jhutchings1). The ask-bonk action's internal permissions: CODEOWNERS check does a flat string match against the CODEOWNERS file and does not resolve GitHub team membership, so it rejects valid codeowners listed via team references like @cloudflare/product-owners. Cloudflare-Studio/ask-bonk#173

Replaces permissions: CODEOWNERS with permissions: write in the bonk steps. The write check uses GitHub's actual permissions API, which correctly resolves team membership. Generally speaking, all CODEOWNERS should have write access. This also serves as defense-in-depth alongside the job-level if: condition which gates on needs.check-codeowner.outputs.is-codeowner == 'true'.

[github-actions]

This pull request requires reviews from CODEOWNERS as it changes files that match the following patterns:

Pattern	Owners
/.github/	@cloudflare/content-engineering, @kodster28, @mvvmm, @colbywhite, @ahaywood, @MohamedH1998

[ask-bonk]

No issues found. The change correctly addresses the false-positive failures for team-member codeowners.

Follow-up: the bonk job on line 90 still uses permissions: CODEOWNERS and may fail for the same reason when team members invoke /bonk. Consider aligning both jobs in a future PR.

[ask-bonk]

Review completed for PR #30926.

• Added labels: engineering, bug
• Posted a PR review comment

Summary: The change is correct and well-explained. Replacing permissions: CODEOWNERS with permissions: write in the bonk-auto-review job fixes the false-positive failures for contributors who are codeowners via GitHub team membership, while the existing job-level if: condition still provides the primary security gate.

Follow-up noted: The regular bonk job on line 90 still uses permissions: CODEOWNERS. Team-member codeowners who invoke /bonk could hit the same issue, so consider aligning both jobs in a future PR.

github run

[github-actions]

Preview URL: https://a6401779.preview.developers.cloudflare.com
Preview Branch URL: https://fix-bonk-auto-review-codeowners.preview.developers.cloudflare.com

[mvvmm]

/bonk review

[ask-bonk]

Both instances of are now correctly replaced with . The change aligns the and jobs and fixes the false-positive failures for codeowners via team membership.

[ask-bonk]

Both instances of permissions: CODEOWNERS are now correctly replaced with permissions: write. The change aligns the bonk and bonk-auto-review jobs and fixes the false-positive failures for codeowners via team membership.

[ask-bonk]

Review posted for PR #30926.

The change is correct. Both permissions: CODEOWNERS instances in .github/workflows/bonk.yml are now permissions: write, which fixes the false-positive failures for contributors who are codeowners via GitHub team membership. The bonk and bonk-auto-review jobs are now aligned.

No issues found — the PR is ready to merge.

github run