Skip to content

fix: surface pull-requests permission failure instead of silently exiting 0#1165

Open
qozle wants to merge 1 commit intoanthropics:mainfrom
qozle:fix/review-workflow-permissions-silent-403
Open

fix: surface pull-requests permission failure instead of silently exiting 0#1165
qozle wants to merge 1 commit intoanthropics:mainfrom
qozle:fix/review-workflow-permissions-silent-403

Conversation

@qozle
Copy link
Copy Markdown
Contributor

@qozle qozle commented Apr 4, 2026

Problem

Two compounding bugs that result in the code review action running successfully but silently posting no output anywhere — green check, zero comments, no indication anything went wrong.

Bug 1: Example workflows have wrong permissions

examples/pr-review-filtered-authors.yml and examples/pr-review-filtered-paths.yml both specify:

permissions:
  pull-requests: read   # ← wrong

Posting review comments requires pull-requests: write. Users copying these templates hit silent failures with no diagnostic.

Bug 2: Action exits 0 when Claude can't post comments (403)

When Claude calls create_inline_comment and receives a 403, the MCP server already returns { isError: true }. But Claude still concludes subtype: "success" because from its perspective it "attempted the task." The action trusts subtype as the sole success signal:

const isSuccess = resultMessage.subtype === "success";
result.conclusion = isSuccess ? "success" : "failure";

Result: green check, zero review comments, no feedback.

Fix

Bug 1: Change pull-requests: readwrite in both example files.

Bug 2 — two-part fix:

Part A — add a 403-specific helpMessage to github-inline-comment-server.ts so Claude's response includes actionable guidance:

This error means the workflow token lacks permission to post review comments. Add pull-requests: write to your workflow's permissions block.

Part B — after runClaude() returns "success", scan the execution file for tool_result items with is_error: true and the text "Resource not accessible by integration" (GitHub's canonical error for this permission class). If any are found, override the conclusion to failure with an actionable message:

Claude attempted to post 5 review comment(s) but received a GitHub permission error.
Add `pull-requests: write` to your workflow's permissions block:

  permissions:
    pull-requests: write

The string "Resource not accessible by integration" is unambiguous — it's the specific Octokit error for GitHub Apps integration permission failures, not a general 403. The scan is a no-op when the execution file is absent or contains no such errors.

Fixes #1121

@qozle @claude
fix: surface pull-requests permission failure instead of silently exi…
a42fa48 
…ting 0

Two compounding bugs that cause code review to silently produce no output.

Bug 1 — wrong permissions in example workflows:
  examples/pr-review-filtered-authors.yml and examples/pr-review-filtered-paths.yml
  both had `pull-requests: read`. Posting review comments requires `write`.
  Users copying these templates would get silent failures with no indication
  anything went wrong.

Bug 2 — action exits 0 when Claude can't post review comments:
  When Claude calls create_inline_comment and receives a 403, the MCP server
  already returns { isError: true }, but Claude still concludes subtype:
  "success" because from its perspective it "attempted the task". The action
  trusts subtype as the sole success signal and exits 0, showing a green check
  while every attempted review comment was silently dropped.

  Fix A: add a 403-specific helpMessage in github-inline-comment-server.ts
  that tells the user exactly what permission to add. This surfaces the fix
  in Claude's response and the action logs.

  Fix B: after runClaude() returns "success", scan the execution file for
  tool_result items with is_error:true and "Resource not accessible by
  integration" (GitHub's canonical error for this permission class). If any
  are found, override claudeSuccess=false and call core.setFailed() with an
  actionable message including the comment count and the exact YAML to add.

  The detection is scoped to the canonical GitHub Apps permission error string
  — no ambiguity with other 403 scenarios.

Fixes anthropics#1121

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

claude-code-review workflow template generates insufficient permissions; action silently swallows write failure

1 participant

@qozle