Problem
assertTrustedCheckoutRuntime() in actions/setup/js/checkout_pr_branch.cjs calls getCollaboratorPermissionLevel with context.actor, which resolves to "Copilot" for Copilot-authored PRs. Since Copilot is an app (not a regular GitHub user), the API returns 404:
GET /repos/github/gh-aw-firewall/collaborators/Copilot/permission - 404
Error: Copilot is not a user
This causes the checkout step to fail for all Copilot-authored PRs.
Failing run
https://github.com/github/gh-aw-firewall/actions/runs/27211514662/job/80359993434?pr=4586
Relevant code
actions/setup/js/checkout_pr_branch.cjs lines 132-136:
const { data: permissionData } = await github.rest.repos.getCollaboratorPermissionLevel({
owner: context.repo.owner,
repo: context.repo.repo,
username: actor,
});Suggested fix
Handle 404 from the collaborators API for bot/app actors (e.g. Copilot, dependabot[bot]), either by:
- Catching 404 and treating known trusted app actors as permitted
- Checking
context.payload.sender?.type for "Bot" or "Mannequin" before calling the API
Problem
assertTrustedCheckoutRuntime()inactions/setup/js/checkout_pr_branch.cjscallsgetCollaboratorPermissionLevelwithcontext.actor, which resolves to"Copilot"for Copilot-authored PRs. Since Copilot is an app (not a regular GitHub user), the API returns 404:This causes the checkout step to fail for all Copilot-authored PRs.
Failing run
https://github.com/github/gh-aw-firewall/actions/runs/27211514662/job/80359993434?pr=4586
Relevant code
actions/setup/js/checkout_pr_branch.cjslines 132-136:Suggested fix
Handle 404 from the collaborators API for bot/app actors (e.g.
Copilot,dependabot[bot]), either by:context.payload.sender?.typefor"Bot"or"Mannequin"before calling the API