Skip to content

ci(preview): grant pull-requests:write so PR comment posts#3663

Merged
jodeleeuw merged 1 commit into
mainfrom
fix/preview-publish-pr-comment-permission
Apr 30, 2026
Merged

ci(preview): grant pull-requests:write so PR comment posts#3663
jodeleeuw merged 1 commit into
mainfrom
fix/preview-publish-pr-comment-permission

Conversation

@jodeleeuw

@jodeleeuw jodeleeuw commented Apr 30, 2026

Copy link
Copy Markdown
Member

Summary

Fixes the preview-publish workflow silently failing to post the per-PR comment after #3662 landed.

What's broken

On PR #3661, preview-build succeeded and preview-publish ran far enough to push the orphan preview/pr-3661 branch with valid metadata.json — but no comment ever appeared on the PR.

Root cause

peter-evans/create-or-update-comment@v4 uses the issues API endpoint (POST /repos/{owner}/{repo}/issues/{n}/comments) to post general PR comments. The earlier permissions block reasoned, correctly at the API level, that this only needs issues: write. But GitHub Actions adds an additional layer on top: it enforces a separate pull-requests scope for any write that targets a pull request, regardless of which underlying API endpoint the action calls.

With pull-requests: read, the action's POST gets silently no-op'd on PRs. The job logs as successful, the preview branch is published, no comment is created.

Fix

One-line permission bump from read to write, with an inline comment explaining why this is necessary despite the issues-API rationale.

 permissions:
   contents: write
-  pull-requests: read
+  pull-requests: write
   issues: write
   actions: read

Test plan

  • Merge this PR, then re-trigger preview-build on an open PR (e.g. by pushing any commit to PR feat(jspsych): add record_session option for high-fidelity replay capture #3661). The preview-publish workflow should post a comment with the jsDelivr URLs.
  • Confirm subsequent pushes update the existing comment in place rather than appending a new one (find-comment looks up by <!-- jspsych-preview-bot -->).

https://claude.ai/code/session_01WCetXEmRj6Y2cBVsvYz7vM

Generated by Claude Code

@claude
ci(preview): grant pull-requests:write so PR comment posts
26ffaa8 
`peter-evans/create-or-update-comment@v4` uses the issues API endpoint to
post general PR comments, but GitHub Actions enforces a separate
`pull-requests` scope for any write that targets a pull request. With
`pull-requests: read` and only `issues: write`, the action silently
no-ops on PRs — the workflow run looks successful, the preview branch
gets pushed, but no comment is created.

Observed on PR #3661: preview-build succeeded, preview-publish ran far
enough to push `preview/pr-3661` with valid metadata, but the comment
step produced nothing.

The earlier intent ("PR comments go through issues:write") was correct
at the API level but not at the Actions permissions level.
@changeset-bot

changeset-bot Bot commented Apr 30, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 26ffaa8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@jodeleeuw jodeleeuw merged commit caae123 into main Apr 30, 2026
5 checks passed
@jodeleeuw jodeleeuw deleted the fix/preview-publish-pr-comment-permission branch April 30, 2026 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jodeleeuw @claude