Fix activation permissions for pull request reactions

[Copilot]

Summary

• Fix activation permission calculation to require pull-requests: write for reaction steps on pull_request events
• Add a unit test covering pull request reaction permission requirements in activation
• Recompile .github/workflows/smoke-copilot.lock.yml so the workflow now includes pull-requests: write in activation permissions

Validation

• Ran targeted tests:
  • go test -v -run "TestActivationPermissions(PRReviewReactionOnly|PullRequestReactionRequiresPullRequestsWrite|IssueOnlyReactionAndStatusComment|ReactionPullRequestsDisabled)" ./pkg/workflow/
• Ran required formatting and broader validation commands (make fmt, make test-unit, make agent-finish)
  • Note: broader unit suite has pre-existing wasm golden fixture failures (TestWasmGolden_CompileFixtures) unrelated to this change.
• Ran parallel validation:
  • Code Review: no comments
  • CodeQL: timed out (tool reported time budget exhausted)

[Copilot]

Pull request overview

Updates activation permission scoping so workflows that add reactions on pull_request events request the required pull-requests: write scope (in addition to existing reaction-related permissions), and aligns compiled smoke workflow output accordingly.

Changes:

• Update activation permission calculation to add pull-requests: write for reaction steps on pull_request events.
• Add a unit test validating pull_request reaction permission requirements in activation.
• Recompile the smoke workflow lockfile to include pull-requests: write on the activation job.

Show a summary per file

File	Description
pkg/workflow/compiler_activation_job.go	Adjusts activation permissions map to include pull-requests: write when reactions are enabled for pull_request-related events.
pkg/workflow/activation_permissions_scope_test.go	Adds coverage asserting activation job permissions include both issues: write and pull-requests: write for pull_request reaction workflows.
.github/workflows/smoke-copilot.lock.yml	Updates compiled workflow to include pull-requests: write in activation job permissions.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 1

[Copilot]

The new comment/logic adds pull-requests: write for pull_request reactions, but it’s not obvious why that scope is required given PR reactions are posted via the /issues/{number}/reactions endpoint. Consider adding a brief rationale (e.g., GitHub permission model requires pull-requests: write for PR reaction writes despite the issues endpoint) to avoid future refactors removing one of the scopes.

Suggested change

	// Reactions on pull requests and PR review comments require pull-requests:write.
	// GitHub's permission model still requires pull-requests:write when the reaction target is a
	// pull request or PR review comment, even though the reaction is created via issues endpoints.

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 90/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	1
✅ Design tests (behavioral contracts)	1 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	1 (100%)
Duplicate test clusters	0
Test inflation detected	⚠️ Yes (31 test lines / 3 production lines ≈ 10:1)
🚨 Coding-guideline violations	None

---

Test Classification Details

Test	File	Classification	Issues Detected
TestActivationPermissionsPullRequestReactionRequiresPullRequestsWrite	pkg/workflow/activation_permissions_scope_test.go:81	✅ Design	None — strong behavioral coverage

---

Flagged Tests — Requires Review

No tests are flagged for quality issues. The test is well-structured and covers the behavioral contract directly.

---

Test Inflation Note

The test added 31 lines while the production fix touched ~3 logic lines (changing hasPullRequestReviewCommentEvent to hasPullRequestEvent || hasPullRequestReviewCommentEvent). This triggers the > 2:1 inflation metric. However, this is expected for end-to-end compiler tests in this codebase — the boilerplate for creating a temp file, running the compiler, and reading the generated lock file accounts for ~25 of the 31 lines. The test is not inflated in spirit.

---

Test Quality Analysis

TestActivationPermissionsPullRequestReactionRequiresPullRequestsWrite verifies that when a pull_request trigger is combined with reaction: eyes, the generated activation job YAML includes both issues: write and pull-requests: write permissions, and explicitly excludes discussions: write. This directly encodes the behavioral contract that was broken by the bug: PR reactions require pull-requests: write (not just issues: write). The test would immediately catch a regression to the old behavior.

• Design invariant: The compiler must grant pull-requests: write when reactions are enabled on pull_request events — a behavioral contract users depend on for correct workflow permissions.
• Value if deleted: High — the exact regression this PR fixes would go undetected.
• Build tag: ✅ //go:build !integration present on line 1.
• Assertion messages: ✅ All assertions include descriptive message arguments.
• Mock libraries: ✅ None — uses real compiler against real file system (project guideline respected).
• Negative assertions (assert.NotContains): ✅ Verifies discussions: write is absent, demonstrating boundary awareness.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 1 test — unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). The single new test is a well-designed end-to-end behavioral test that directly validates the bug fix.

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24532627925

🧪 Test quality analysis by Test Quality Sentinel · ● 994.4K · ◷

[github-actions]

✅ Test Quality Sentinel: 90/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). The single new test TestActivationPermissionsPullRequestReactionRequiresPullRequestsWrite is a well-designed end-to-end behavioral test that directly validates the bug fix, uses no mock libraries, includes negative assertions to verify permission exclusions, and has proper build tags and assertion messages.