Add FAQ entry for PR creation disabled by organization settings

[Copilot]

Organizations can disable PR creation by GitHub Actions via "Allow GitHub Actions to create and approve pull requests" setting, causing workflows to fail with permission errors. Added FAQ entry documenting three workaround strategies.

Changes

• New FAQ entry in Configuration & Setup section addressing "GitHub Actions is not permitted to create or approve pull requests" error
• Organization setting navigation for users to verify their configuration
• Three workaround options:
  1. Default automatic fallback (requires issues: write)
  2. Direct create-issue with Copilot assignment
  3. Disabled fallback (PR-only, fails gracefully)

Example Workaround

For organizations with PR restrictions, assign issues to Copilot for automated processing:

safe-outputs:
  create-issue:
    assignees: [copilot]              # Assign to Copilot for PR creation
    labels: [automation, enhancement]

Cross-references

• Links to existing safe-outputs documentation explaining fallback-as-issue behavior
• References real-world error from https://github.com/copilot-community-sdk/copilot-sdk-clojure/actions/runs/22013946090

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• telemetry.astro.build
  • Triggering command: /opt/hostedtoolcache/node/24.13.0/x64/bin/node node /home/REDACTED/work/gh-aw/gh-aw/docs/node_modules/.bin/astro build (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

Add entry in the FAQ about the repository setting that disable PR creation by actions.

Explain how to disable or specify using create-issue + assign to copilot as work around.

See example here in safe outputs

Reference: https://github.com/copilot-community-sdk/copilot-sdk-clojure/actions/runs/22013946090/job/63612760306#step:8:1

Custom agent used: technical-doc-writer
AI technical documentation writer for GitHub Actions library using GitHub Docs voice

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

Adds a new FAQ entry documenting why create-pull-request can fail when an organization/repository disables PR creation by GitHub Actions, and outlines configuration workarounds to keep workflows usable in restricted environments.

Changes:

• Adds an FAQ section explaining the "GitHub Actions is not permitted to create or approve pull requests" failure mode.
• Documents where to find the relevant GitHub Actions “Workflow permissions” setting.
• Describes three workaround strategies: default issue fallback, direct create-issue + Copilot assignment, and disabling fallback.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The intro sentence says "you have two alternatives", but three options are listed below. Also, Option 1 is labeled "Use create-issue with automatic fallback" while the example/config shown is create-pull-request with fallback-as-issue behavior—this heading should match the safe output being configured.

Suggested change

	If you cannot enable PR creation or prefer to keep it disabled for security reasons, you have two alternatives:
	**Option 1: Use create-issue with automatic fallback (default)**
	If you cannot enable PR creation or prefer to keep it disabled for security reasons, you have the following alternatives:
	**Option 1: Use create-pull-request with automatic fallback (default)**

[Copilot]

This section mentions the setting can be disabled via repository or organization settings, but the navigation that follows only references organization settings. Consider including the repository-level path (repo Settings → Actions → General) or rewording the heading to reflect both scopes so readers look in the right place.

Suggested change

	**Organization Setting Location:**
	- Navigate to your organization's **Settings** → **Actions** → **General**
	- Look for **"Workflow permissions"** section
	- Check if **"Allow GitHub Actions to create and approve pull requests"** is disabled
	**Where to change this setting (organization or repository):**
	- At the organization level: Navigate to your organization's **Settings** → **Actions** → **General**
	- Look for the **"Workflow permissions"** section
	- Check if **"Allow GitHub Actions to create and approve pull requests"** is disabled
	- At the repository level: Navigate to the repository's **Settings** → **Actions** → **General**, then check the **"Workflow permissions"** section for **"Allow GitHub Actions to create and approve pull requests"**