Skip to content

Add issues:write permission for campaign label management in update_project #12208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Copilot wants to merge 4 commits into from
Closed

Add issues:write permission for campaign label management in update_project #12208

Copilot wants to merge 4 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Jan 28, 2026
edited
Loading

Fix campaign label permissions for update_project handler

  • Explore repository and understand the issue
  • Locate the code adding campaign labels (update_project.cjs:815)
  • Identify current permissions (contents: read, organization-projects: write)
  • Add issues: write permission to NewPermissionsContentsReadProjectsWrite()
  • Create test for the permission change
  • Rebuild the binary and recompile workflows
  • Run full validation (make agent-finish)
  • Verify the fix
  • Merge main branch and recompile

Issue Summary

The update_project safe output handler attempts to add campaign labels to issues but fails with "Resource not accessible by personal access token" because the job only has contents: read and organization-projects: write permissions, lacking the required issues: write permission.

Solution Implemented

Updated NewPermissionsContentsReadProjectsWrite() function in pkg/workflow/permissions.go to include issues: write permission. This ensures the safe_outputs job has the necessary permissions to add campaign labels to issues during project updates.

Changes Made

  1. pkg/workflow/permissions.go: Added PermissionIssues: PermissionWrite to the permissions map
  2. pkg/workflow/permissions_project_test.go: Created test to verify the permission is correctly set
  3. All .lock.yml workflows: Recompiled to apply the new permission (issues: write now appears in safe_outputs job permissions)
  4. Merged main branch: Incorporated latest changes from main and recompiled all workflows

Verification

✅ The safe_outputs job in security-alert-burndown.lock.yml now has:

  • contents: read
  • issues: write

✅ All tests pass
✅ All linting checks pass
✅ Successfully merged with main branch
✅ All 141 workflows recompiled successfully

The campaign labels will now be successfully added to issues during project updates without permission errors.

Original prompt

This section details on the original issue you should resolve

<issue_title>[Code Quality] Fix campaign label permissions for update_project handler</issue_title>
<issue_description>## Description

The safe output update_project handler is failing to add campaign labels to issues due to insufficient GitHub token permissions. This results in warnings appearing in workflow logs and affects issue organization and campaign tracking.

Current Issue

Warning message appearing in logs:

##[warning]Failed to add campaign label: Resource not accessible by personal access token

Root Cause:
The GitHub personal access token lacks the necessary permissions to add labels to issues. The update_project handler attempts to add campaign labels as part of project updates, but this operation fails silently with a warning.

Impact

  • Campaign labels are not being added to issues during project updates
  • Issue organization and campaign tracking is incomplete
  • Safe output processing continues successfully (non-blocking warning)
  • Affects the Security Alert Burndown workflow and similar workflows

Suggested Solutions

Option A: Update Token Permissions (Recommended)

Update the workflow permissions to include label management:

permissions:
  issues: write
  projects: write
  contents: read

Option B: Graceful Degradation

Modify the safe output handler to catch permission errors gracefully:

try {
  await addCampaignLabel(issue);
} catch (error) {
  if (error.message.includes('Resource not accessible')) {
    core.info('Skipping campaign label - insufficient permissions');
  } else {
    throw error;
  }
}

Files Affected

  • Workflow YAML files using update_project safe output (e.g., Security Alert Burndown)
  • OR: pkg/workflow/js/safe_outputs_handlers.cjs (if implementing graceful degradation)

Success Criteria

  • Campaign labels are successfully added to issues during project updates
  • OR: Handler gracefully skips label addition with informative logging
  • No warnings appear in safe output job logs for label operations
  • Project updates continue to succeed regardless of label operation outcome

Affected Workflows

  • Security Alert Burndown (workflow_dispatch event)
  • Any workflow using update_project safe output that needs campaign labels

Source

Extracted from Safe Output Health Report discussion githubnext/gh-aw#12131

Priority

Medium - Prevents proper campaign tracking but doesn't block workflow execution.

Affected Run

AI generated by Discussion Task Miner - Code Quality Improvement Agent

  • expires on Feb 11, 2026, 5:10 AM UTC

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits January 28, 2026 07:13
@pelikhan
Add issues:write permission for campaign label management
9fb2fcb 
- Updated NewPermissionsContentsReadProjectsWrite() to include issues:write
- Added test for the permission function
- Recompiled all workflows to apply the permission change

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Fix linting error: use assert.Len for length check
6b19d1c 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix campaign label permissions for update_project handler Add issues:write permission for campaign label management in update_project Jan 28, 2026
Copilot AI requested a review from pelikhan January 28, 2026 07:23
@pelikhan pelikhan marked this pull request as ready for review January 28, 2026 13:55
@pelikhan
Copy link
Contributor

pelikhan commented Jan 28, 2026

@copilot merge main recompile

Merge remote-tracking branch 'origin/main' into copilot/fix-campaign-…
e04ccb0 
…label-permissions-again

# Conflicts:
#	.github/workflows/security-alert-burndown.campaign.g.lock.yml
Copy link
Contributor Author

Copilot AI commented Jan 28, 2026

@copilot merge main recompile

Merged main branch and recompiled all workflows successfully in commit e04ccb0.

  • Resolved conflict with deleted security-alert-burndown.campaign.g.lock.yml
  • Recompiled 141 workflows successfully
  • Verified issues: write permission is preserved in safe_outputs job

Copilot AI requested a review from pelikhan January 28, 2026 14:05
@pelikhan pelikhan closed this Jan 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Code Quality] Fix campaign label permissions for update_project handler

2 participants

@pelikhan