fix(merge): grant checks:read so ff-merge can read the check-run rollup#25
Conversation
ff-merge verifies a PR's status rollup via the Checks API (checks.listForRef), which an App token can only call with checks:read. The least-privilege token mints granted contents/pull-requests/administration/ workflows/issues but not checks, so /merge failed with "Resource not accessible by integration" and the continue-on-error auto-merge paths silently never completed. Add permission-checks: read to every mint step that precedes an ff-merge call, in both merge.yaml and dependabot-merge.yaml. The v1.1.0 callers were unaffected because they minted an unrestricted token that inherited the App's checks grant; the regression landed when v3.0.0 switched to the explicit allow-list and omitted it. Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
|
Note Merging this PR: this repository merges by fast-forward so every The branch must be up to date with |
|
/auto-merge |
|
Note Auto-merge armed. Once this PR is approved and every required check Remove the |
|
Cannot
|
|
Cannot
|
|
Cannot
|
|
Fast-forwarded |
5a651ab
into
bitwise-media-group:main
ff-merge verifies a PR's status rollup via the Checks API (checks.listForRef), which an App token can only call with checks:read. The least-privilege token mints granted contents/pull-requests/administration/ workflows/issues but not checks, so /merge failed with "Resource not accessible by integration" and the continue-on-error auto-merge paths silently never completed.
Add permission-checks: read to every mint step that precedes an ff-merge call, in both merge.yaml and dependabot-merge.yaml. The v1.1.0 callers were unaffected because they minted an unrestricted token that inherited the App's checks grant; the regression landed when v3.0.0 switched to the explicit allow-list and omitted it.