Impact
gh-aw-pr-review.lock.yml defaults report-failure-as-issue to true, but its conclusion job only grants contents: read and pull-requests: write. When the agent fails and the conclusion path tries to report that failure as a GitHub issue, the job token cannot create the issue, so users lose the advertised/default failure report.
Reproduction Steps
- Save this script as
/tmp/gh-aw/agent/repro_pr_review_failure_issue_permission.sh in a checkout of this repository.
- Run
bash /tmp/gh-aw/agent/repro_pr_review_failure_issue_permission.sh.
Expected vs Actual
Expected: A workflow that defaults failure issue reporting on and passes GH_AW_FAILURE_REPORT_AS_ISSUE should grant issues: write to the conclusion job.
Actual: The conclusion job lacks issues: write:
report-failure-as-issue default true: true
conclusion passes GH_AW_FAILURE_REPORT_AS_ISSUE: true
conclusion permissions include issues: write: false
FAIL: gh-aw-pr-review defaults failure issue reporting on, but the conclusion job cannot write issues.
Failing Test
#!/usr/bin/env bash
set -euo pipefail
wf="/home/runner/work/ai-github-actions/ai-github-actions/.github/workflows/gh-aw-pr-review.lock.yml"
has_default_report_issue=false
has_report_env=false
has_conclusion_issue_write=false
if awk '
/report-failure-as-issue:/ { in_input=1; next }
in_input && /^[[:space:]]+[[:alnum:]_-]+:/ && $1 != "description:" && $1 != "type:" && $1 != "required:" && $1 != "default:" { in_input=0 }
in_input && /default:[[:space:]]+true/ { found=1 }
END { exit(found ? 0 : 1) }
' "$wf"; then
has_default_report_issue=true
fi
if grep -q 'GH_AW_FAILURE_REPORT_AS_ISSUE:.*inputs.report-failure-as-issue' "$wf"; then
has_report_env=true
fi
if awk '
/^ conclusion:/ { in_conclusion=1; next }
in_conclusion && /^ [^[:space:]][^:]*:/ { in_conclusion=0 }
in_conclusion && /^ permissions:/ { in_permissions=1; next }
in_permissions && /^ [^[:space:]][^:]*:/ { in_permissions=0 }
in_permissions && /^[[:space:]]+issues:[[:space:]]+write/ { found=1 }
END { exit(found ? 0 : 1) }
' "$wf"; then
has_conclusion_issue_write=true
fi
printf 'report-failure-as-issue default true: %s\n' "$has_default_report_issue"
printf 'conclusion passes GH_AW_FAILURE_REPORT_AS_ISSUE: %s\n' "$has_report_env"
printf 'conclusion permissions include issues: write: %s\n' "$has_conclusion_issue_write"
if [[ "$has_default_report_issue" == true && "$has_report_env" == true && "$has_conclusion_issue_write" != true ]]; then
echo 'FAIL: gh-aw-pr-review defaults failure issue reporting on, but the conclusion job cannot write issues.'
exit 1
fi
echo PASS
Evidence
.github/workflows/gh-aw-pr-review.md:68-72 defines report-failure-as-issue with default: true.
.github/workflows/gh-aw-pr-review.lock.yml:1588 passes GH_AW_FAILURE_REPORT_AS_ISSUE: ${{ inputs.report-failure-as-issue && 'true' || 'false' }} into the conclusion reporting path.
.github/workflows/gh-aw-pr-review.lock.yml:1355-1367 defines the conclusion job with only contents: read and pull-requests: write, so issue creation is not permitted.
Suggested Actions
What is this? | From workflow: Trigger Bug Hunter
Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.
Impact
gh-aw-pr-review.lock.ymldefaultsreport-failure-as-issuetotrue, but itsconclusionjob only grantscontents: readandpull-requests: write. When the agent fails and the conclusion path tries to report that failure as a GitHub issue, the job token cannot create the issue, so users lose the advertised/default failure report.Reproduction Steps
/tmp/gh-aw/agent/repro_pr_review_failure_issue_permission.shin a checkout of this repository.bash /tmp/gh-aw/agent/repro_pr_review_failure_issue_permission.sh.Expected vs Actual
Expected: A workflow that defaults failure issue reporting on and passes
GH_AW_FAILURE_REPORT_AS_ISSUEshould grantissues: writeto theconclusionjob.Actual: The
conclusionjob lacksissues: write:Failing Test
Evidence
.github/workflows/gh-aw-pr-review.md:68-72definesreport-failure-as-issuewithdefault: true..github/workflows/gh-aw-pr-review.lock.yml:1588passesGH_AW_FAILURE_REPORT_AS_ISSUE: ${{ inputs.report-failure-as-issue && 'true' || 'false' }}into the conclusion reporting path..github/workflows/gh-aw-pr-review.lock.yml:1355-1367defines theconclusionjob with onlycontents: readandpull-requests: write, so issue creation is not permitted.Suggested Actions
issues: writeto the PR Review conclusion job permissions when failure reporting as issues is enabled/defaulted.What is this? | From workflow: Trigger Bug Hunter
Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.