From ff5784fc5eff172199e29b23142cf3f4c8bbc9ee Mon Sep 17 00:00:00 2001
From: Zbigniew Sobiecki <zbigniew@sobiecki.name>
Date: Mon, 16 Feb 2026 19:44:24 +0000
Subject: [PATCH] fix: use review agent token for actions API in
 check-suite-success trigger

The check-suite-success trigger calls getCheckSuiteStatus() which hits
the Actions API (workflow runs endpoint). The default project GITHUB_TOKEN
is a fine-grained PAT that lacks the actions permission, causing a 403.

Use the review agent's credential override (classic PAT with repo scope)
for this call, since the trigger already resolves it for the review
identity check.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 src/triggers/github/check-suite-success.ts | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/triggers/github/check-suite-success.ts b/src/triggers/github/check-suite-success.ts
index 0e840ad2..2c0f5fbd 100644
--- a/src/triggers/github/check-suite-success.ts
+++ b/src/triggers/github/check-suite-success.ts
@@ -1,5 +1,10 @@
 import { getAgentCredential } from '../../config/provider.js';
-import { getAuthenticatedUser, getGitHubUserForToken, githubClient } from '../../github/client.js';
+import {
+	getAuthenticatedUser,
+	getGitHubUserForToken,
+	githubClient,
+	withGitHubToken,
+} from '../../github/client.js';
 import type { TriggerContext, TriggerHandler, TriggerResult } from '../../types/index.js';
 import { logger } from '../../utils/logging.js';
 import { type GitHubCheckSuitePayload, isGitHubCheckSuitePayload } from './types.js';
@@ -100,7 +105,12 @@ export class CheckSuiteSuccessTrigger implements TriggerHandler {
 		}
 
 		// Verify all checks are actually passing (double-check)
-		const checkStatus = await githubClient.getCheckSuiteStatus(owner, repo, headSha);
+		// Use the review agent's token if available, since the default project token
+		// may lack actions:read permission (fine-grained PATs need it explicitly).
+		const fetchCheckStatus = () => githubClient.getCheckSuiteStatus(owner, repo, headSha);
+		const checkStatus = agentGitHubToken
+			? await withGitHubToken(agentGitHubToken, fetchCheckStatus)
+			: await fetchCheckStatus();
 
 		if (!checkStatus.allPassing) {
 			logger.info('Not all checks passing, skipping review trigger', {