Summary
The activation job's pull-requests: write permission fix (#26720, merged Apr 16) only covers pull_request event triggers. When using slash_command: (which compiles to issue_comment), the activation job still lacks pull-requests: write, causing the reaction step to fail with 403 on PR comments.
Reproduction
- Create a workflow with a slash command trigger on PR comments:
on:
slash_command:
name: review
events: [pull_request_comment]
-
Compile with gh aw compile (tested v0.71.0 and v0.71.1)
-
Post /review as a comment on a pull request
-
The activation job fails at the reaction step:
POST /repos/{owner}/{repo}/issues/comments/{id}/reactions - 403
Resource not accessible by integration
Root Cause
The activation job's compiled permissions are:
permissions:
actions: read
contents: read
issues: write # present
# pull-requests: write ← MISSING
GitHub requires pull-requests: write to add reactions to issue comments that are associated with a pull request (even though the API path is /issues/comments/{id}/reactions).
PR #26720 fixed this for pull_request events but slash_command compiles to issue_comment, which was not included in the fix. The events: [pull_request_comment] filter means the reaction is always on a PR comment.
Versions Tested
| CLI Version |
Activation has pull-requests: write? |
Reaction works? |
| v0.62.2 |
✅ Yes (broad grants) |
✅ |
| v0.68.3 |
✅ Yes (broad grants) |
✅ |
| v0.69.3+ |
❌ No |
❌ 403 |
| v0.71.0 |
❌ No |
❌ 403 |
| v0.71.1 |
❌ No |
❌ 403 |
Expected Behavior
When a slash_command trigger includes events: [pull_request_comment] (or the default which includes PR comments), the compiler should add pull-requests: write to the activation job — same logic as the pull_request event fix in #26720.
Workaround
Use v0.68.3 (gh extension install github/gh-aw --pin v0.68.3) which still uses the broad permission grants. The current default version also appears to be v0.68.3 (v0.71.x may have been rolled back).
Related
Repos Affected
Tested on 3 repos (org + personal), all fail identically:
dotnet/maui (v0.71.0)dotnet/maui-labs (v0.69.3)PureWeen/PolyPilot (v0.71.0)
Summary
The activation job's
pull-requests: writepermission fix (#26720, merged Apr 16) only coverspull_requestevent triggers. When usingslash_command:(which compiles toissue_comment), the activation job still lackspull-requests: write, causing the reaction step to fail with 403 on PR comments.Reproduction
Compile with
gh aw compile(tested v0.71.0 and v0.71.1)Post
/reviewas a comment on a pull requestThe activation job fails at the reaction step:
Root Cause
The activation job's compiled permissions are:
GitHub requires
pull-requests: writeto add reactions to issue comments that are associated with a pull request (even though the API path is/issues/comments/{id}/reactions).PR #26720 fixed this for
pull_requestevents butslash_commandcompiles toissue_comment, which was not included in the fix. Theevents: [pull_request_comment]filter means the reaction is always on a PR comment.Versions Tested
pull-requests: write?Expected Behavior
When a
slash_commandtrigger includesevents: [pull_request_comment](or the default which includes PR comments), the compiler should addpull-requests: writeto the activation job — same logic as thepull_requestevent fix in #26720.Workaround
Use v0.68.3 (
gh extension install github/gh-aw --pin v0.68.3) which still uses the broad permission grants. The current default version also appears to be v0.68.3 (v0.71.x may have been rolled back).Related
pull_requestreaction permissions (but notissue_comment/slash_command)Repos Affected
Tested on 3 repos (org + personal), all fail identically:
dotnet/maui(v0.71.0)dotnet/maui-labs(v0.69.3)PureWeen/PolyPilot(v0.71.0)