Skip to content

Grant contents: read in Constitutional Scan workflow to unblock PR threat-report comments#19

Merged
waren23greg-stack merged 2 commits into
mainfrom
copilot/update-permissions-for-github-script
May 10, 2026
Merged

Grant contents: read in Constitutional Scan workflow to unblock PR threat-report comments#19
waren23greg-stack merged 2 commits into
mainfrom
copilot/update-permissions-for-github-script

Conversation

Copilot AI commented May 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

The Constitutional Scan workflow was failing in the PR comment step with HttpError: Resource not accessible by integration. The workflow token permissions were incomplete for the actions/github-script API call path used to post threat reports.

  • What changed

    • Workflow permissions
      • Updated .github/workflows/mistcoder-scan.yml to include repository read scope required by the integration.

  • Why this addresses the failure

    • PR comment step compatibility
      • github.rest.issues.createComment() in Post threat report to PR now runs with the required token scope during pull_request events.
permissions:
  pull-requests: write
  issues: write
  contents: read
Original prompt

Problem

The MISTCODER Constitutional Scan workflow is failing with the error:

##[error]Unhandled error: HttpError: Resource not accessible by integration

This occurs in the "Post threat report to PR" step (line 125-175) when the actions/github-script@v7 action attempts to create a comment on pull requests.

Root Cause

The workflow's permissions block is missing the contents: read permission, which is required for the GitHub API integration to authenticate and interact with the repository.

Current permissions:

permissions:
  pull-requests: write
  issues: write

Solution

Add contents: read to the permissions block to grant the necessary access for the GitHub Script action to function properly.

Updated permissions:

permissions:
  pull-requests: write
  issues: write
  contents: read

This will allow the github.rest.issues.createComment() call in the PR comment step to execute successfully.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: Please find a solution for this failing job. Use the logs, job definition, and any referenced files where the failure occurred. Keep your response focused on the solution and include code suggestions when appropriate.

Assistant: I'll retrieve the job logs to identify the failure and provide a solution.

Assistant: Now let me get the workflow file to understand the job definition:

Assistant: ## Solution for Failing Job

The job is failing with the error:

##[error]Unhandled error: HttpError: Resource not accessible by integration

Root Cause: The workflow is missing the required GitHub token permission to comment on pull requests. The Post threat report to PR step (line 125-175) uses actions/github-script@v7 to create PR comments, but the workflow lacks the necessary contents: read permission.

Fix: Update the permissions section in .github/workflows/mistcoder-scan.yml:

permissions:
  pull-requests: write
  issues: write
  contents: read  # ← ADD THIS LINE

The workflow needs contents: read permission for the GitHub Script action to access repository information and successfully create comments. Currently, it only has pull-requests: write and issues: write, which is insufficient for the integration to authenticate properly.

Additional Note: The Post threat report to PR step also has a condition if: always() && github.event_name == 'pull_request' (line 126), which is correct—it only runs on PRs where the github-script action has the necessary context to post comments.

Apply the permission change above and rerun the workflow. The PR comment posting should succeed once the contents: read permission is granted.

User: assign agent to correct and PR after

Assistant: Now I'll create a PR to fix the missing contents: read permission:

Assistant: Perfect! I've assigned the coding agent to create a pull request that fixes the GitHub API permission error in your MISTCODER workflow. The agent will:

  1. Add the missing contents: read permission to the workflow's permissions block
  2. Create a PR with the fix applied to .github/workflows/mistcoder-scan.yml

This resolves the "Resource not accessible by integration" error that was preventing the PR comment from being posted. The workflow will now have the necessary permissions to authenticate and create comments on pull requests.

This pull request was created from Copilot chat.

Copilot AI changed the title [WIP] Fix workflow error by updating permissions for GitHub Script Grant contents: read in Constitutional Scan workflow to unblock PR threat-report comments May 10, 2026
Copilot AI requested a review from waren23greg-stack May 10, 2026 12:34
@github-actions

github-actions Bot commented May 10, 2026

Copy link
Copy Markdown

MISTCODER

MISTCODER Constitutional Scan — Trinity Report

🟢 COVENANT VERDICT: CERTIFIED CLEAR

Scan details:

MISTCODER — Know your attack surface before the adversary does.
PHANTOM simulates · ORACLE challenges · COVENANT certifies

@waren23greg-stack waren23greg-stack marked this pull request as ready for review May 10, 2026 12:37
@waren23greg-stack waren23greg-stack merged commit 1c15248 into main May 10, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@waren23greg-stack waren23greg-stack Awaiting requested review from waren23greg-stack

Assignees

Copilot code review Copilot

@waren23greg-stack waren23greg-stack

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@waren23greg-stack