bug: activation job fails with 403 on add_reaction step for pull_request triggers

[lpcox]

Problem

The activation job in compiled workflows fails when triggered by pull_request events. The add_reaction step attempts to add a 🚀 reaction to the PR but gets a 403: Resource not accessible by integration error, which causes the entire activation job to fail and skips all downstream jobs (agent, safe_outputs, conclusion).

Reproduction

1. Any workflow compiled with gh-aw v0.68.5 that triggers on pull_request
2. Open a PR to trigger the workflow
3. Activation job fails at the "Add reaction" step

Error

POST /repos/github/gh-aw-firewall/issues/2034/reactions - 403
##[error]Failed to add reaction: Resource not accessible by integration
##[error]ERR_API: Failed to add reaction: Resource not accessible by integration

Root Cause

The pull_request event provides a read-only GITHUB_TOKEN by default. The add_reaction.cjs step requires write access to the issues/reactions API, which is not available with the default pull_request token permissions.

Workflows triggered by pull_request_target, issue_comment, or workflow_dispatch have sufficient permissions, but pull_request does not.

Expected Behavior

The activation job should not fail due to a cosmetic reaction step. Options:

1. Make the reaction step non-fatal (continue-on-error)
2. Skip the reaction step when the token lacks sufficient permissions
3. Gate the reaction step on the event type (skip for pull_request)

Environment

• gh-aw version: v0.68.5
• Example failed run: https://github.com/github/gh-aw-firewall/actions/runs/24522612937/job/71684200953
• Workflow: Smoke Copilot BYOK (smoke-copilot-byok.lock.yml)
• Trigger: pull_request

[lpcox]

@pelikhan fyi

[pelikhan]

Right there was a change to support status-comment coarser permissions

[pelikhan]

@copilot provide the same configuration as status-comment for selecting targets and compute permissions in activation job based on those options (status-comment + reaction).