Skip to content

[bug-hunter] PR Review failure issue reporting lacks issue write permission #1458

Description

@github-actions

Impact

gh-aw-pr-review.lock.yml defaults report-failure-as-issue to true, but its conclusion job only grants contents: read and pull-requests: write. When the agent fails and the conclusion path tries to report that failure as a GitHub issue, the job token cannot create the issue, so users lose the advertised/default failure report.

Reproduction Steps

  1. Save this script as /tmp/gh-aw/agent/repro_pr_review_failure_issue_permission.sh in a checkout of this repository.
  2. Run bash /tmp/gh-aw/agent/repro_pr_review_failure_issue_permission.sh.

Expected vs Actual

Expected: A workflow that defaults failure issue reporting on and passes GH_AW_FAILURE_REPORT_AS_ISSUE should grant issues: write to the conclusion job.

Actual: The conclusion job lacks issues: write:

report-failure-as-issue default true: true
conclusion passes GH_AW_FAILURE_REPORT_AS_ISSUE: true
conclusion permissions include issues: write: false
FAIL: gh-aw-pr-review defaults failure issue reporting on, but the conclusion job cannot write issues.

Failing Test

#!/usr/bin/env bash
set -euo pipefail
wf="/home/runner/work/ai-github-actions/ai-github-actions/.github/workflows/gh-aw-pr-review.lock.yml"

has_default_report_issue=false
has_report_env=false
has_conclusion_issue_write=false

if awk '
  /report-failure-as-issue:/ { in_input=1; next }
  in_input && /^[[:space:]]+[[:alnum:]_-]+:/ && $1 != "description:" && $1 != "type:" && $1 != "required:" && $1 != "default:" { in_input=0 }
  in_input && /default:[[:space:]]+true/ { found=1 }
  END { exit(found ? 0 : 1) }
' "$wf"; then
  has_default_report_issue=true
fi

if grep -q 'GH_AW_FAILURE_REPORT_AS_ISSUE:.*inputs.report-failure-as-issue' "$wf"; then
  has_report_env=true
fi

if awk '
  /^  conclusion:/ { in_conclusion=1; next }
  in_conclusion && /^  [^[:space:]][^:]*:/ { in_conclusion=0 }
  in_conclusion && /^    permissions:/ { in_permissions=1; next }
  in_permissions && /^    [^[:space:]][^:]*:/ { in_permissions=0 }
  in_permissions && /^[[:space:]]+issues:[[:space:]]+write/ { found=1 }
  END { exit(found ? 0 : 1) }
' "$wf"; then
  has_conclusion_issue_write=true
fi

printf 'report-failure-as-issue default true: %s\n' "$has_default_report_issue"
printf 'conclusion passes GH_AW_FAILURE_REPORT_AS_ISSUE: %s\n' "$has_report_env"
printf 'conclusion permissions include issues: write: %s\n' "$has_conclusion_issue_write"

if [[ "$has_default_report_issue" == true && "$has_report_env" == true && "$has_conclusion_issue_write" != true ]]; then
  echo 'FAIL: gh-aw-pr-review defaults failure issue reporting on, but the conclusion job cannot write issues.'
  exit 1
fi

echo PASS

Evidence

  • .github/workflows/gh-aw-pr-review.md:68-72 defines report-failure-as-issue with default: true.
  • .github/workflows/gh-aw-pr-review.lock.yml:1588 passes GH_AW_FAILURE_REPORT_AS_ISSUE: ${{ inputs.report-failure-as-issue && 'true' || 'false' }} into the conclusion reporting path.
  • .github/workflows/gh-aw-pr-review.lock.yml:1355-1367 defines the conclusion job with only contents: read and pull-requests: write, so issue creation is not permitted.

Suggested Actions

  • Add issues: write to the PR Review conclusion job permissions when failure reporting as issues is enabled/defaulted.
  • Add a compile/static regression test that fails when a workflow exposes default-on failure issue reporting without granting the conclusion job issue-write permission.

What is this? | From workflow: Trigger Bug Hunter

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

  • expires on Jul 7, 2026, 12:06 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions