From cc4bd6d9674abad31edb4aefee8decfb52a50f8d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 16 Apr 2026 20:19:03 +0000 Subject: [PATCH 1/2] fix: require pull-request write permission for activation reactions Agent-Logs-Url: https://github.com/github/gh-aw/sessions/3ed08d66-abc5-46fd-8cb2-41a31f827760 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .../activation_permissions_scope_test.go | 31 +++++++++++++++++++ pkg/workflow/compiler_activation_job.go | 8 ++--- 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/pkg/workflow/activation_permissions_scope_test.go b/pkg/workflow/activation_permissions_scope_test.go index f03db293571..4a400c86dd1 100644 --- a/pkg/workflow/activation_permissions_scope_test.go +++ b/pkg/workflow/activation_permissions_scope_test.go @@ -78,6 +78,37 @@ engine: copilot assert.NotContains(t, activationJobSection, "discussions: write", "activation job should not include discussions: write for PR review comment reactions") } +func TestActivationPermissionsPullRequestReactionRequiresPullRequestsWrite(t *testing.T) { + tmpDir := testutil.TempDir(t, "activation-perms-pull-request-reaction") + testFile := filepath.Join(tmpDir, "pull-request-reaction.md") + testContent := `--- +on: + reaction: eyes + status-comment: false + pull_request: + types: [opened] +engine: copilot +--- + +# Pull request reaction permissions +` + + err := os.WriteFile(testFile, []byte(testContent), 0644) + require.NoError(t, err, "failed to write test workflow") + + compiler := NewCompiler() + err = compiler.CompileWorkflow(testFile) + require.NoError(t, err, "failed to compile workflow") + + lockContent, err := os.ReadFile(stringutil.MarkdownToLockFile(testFile)) + require.NoError(t, err, "failed to read generated lock file") + + activationJobSection := extractJobSection(string(lockContent), string(constants.ActivationJobName)) + assert.Contains(t, activationJobSection, "issues: write", "activation job should include issues: write for pull_request reactions") + assert.Contains(t, activationJobSection, "pull-requests: write", "activation job should include pull-requests: write for pull_request reactions") + assert.NotContains(t, activationJobSection, "discussions: write", "activation job should not include discussions: write for pull_request reactions") +} + func TestActivationPermissionsReactionPullRequestsDisabled(t *testing.T) { tmpDir := testutil.TempDir(t, "activation-perms-reaction-pr-disabled") testFile := filepath.Join(tmpDir, "reaction-pr-disabled.md") diff --git a/pkg/workflow/compiler_activation_job.go b/pkg/workflow/compiler_activation_job.go index 729f92c8484..751bb94356e 100644 --- a/pkg/workflow/compiler_activation_job.go +++ b/pkg/workflow/compiler_activation_job.go @@ -744,17 +744,15 @@ func addActivationInteractionPermissionsMap( hasDiscussionCommentEvent := eventSet["discussion_comment"] if hasReaction { - // Reactions on issues, issue comments, and pull requests all use issues endpoints. - // Both issue and pull request reactions require issues:write because PR reactions - // are created via /issues/{number}/reactions. + // Reactions on issues, issue comments, and pull requests use issues endpoints. needsIssuesWriteForIssueEvents := reactionIncludesIssues && (hasIssuesEvent || hasIssueCommentEvent) needsIssuesWriteForPullRequestEvents := reactionIncludesPullRequests && hasPullRequestEvent needsIssuesWriteForReaction := needsIssuesWriteForIssueEvents || needsIssuesWriteForPullRequestEvents if needsIssuesWriteForReaction { permsMap[PermissionIssues] = PermissionWrite } - // Reactions on PR review comments use pull request review comment endpoints. - if reactionIncludesPullRequests && hasPullRequestReviewCommentEvent { + // Reactions on pull requests and PR review comments require pull-requests:write. + if reactionIncludesPullRequests && (hasPullRequestEvent || hasPullRequestReviewCommentEvent) { permsMap[PermissionPullRequests] = PermissionWrite } // Reactions on discussions use GraphQL discussion APIs. From b822aa6e6d816f1286e8233f0e809deae70ef77a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Thu, 16 Apr 2026 20:30:01 +0000 Subject: [PATCH 2/2] chore: recompile smoke-copilot lock workflow Agent-Logs-Url: https://github.com/github/gh-aw/sessions/3ed08d66-abc5-46fd-8cb2-41a31f827760 Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com> --- .github/workflows/smoke-copilot.lock.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 5a2d06f260d..b5cb377490e 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -96,6 +96,7 @@ jobs: actions: read contents: read issues: write + pull-requests: write outputs: comment_id: ${{ steps.add-comment.outputs.comment-id }} comment_repo: ${{ steps.add-comment.outputs.comment-repo }}