Skip to content

fix(merge): grant checks:read so ff-merge can read the check-run rollup#25

Merged
bitwise-fast-forward-merge[bot] merged 1 commit into
bitwise-media-group:mainfrom
dmccaffery:fix/checks-permission
Jun 29, 2026
Merged

fix(merge): grant checks:read so ff-merge can read the check-run rollup#25
bitwise-fast-forward-merge[bot] merged 1 commit into
bitwise-media-group:mainfrom
dmccaffery:fix/checks-permission

Conversation

@dmccaffery

Copy link
Copy Markdown
Collaborator

ff-merge verifies a PR's status rollup via the Checks API (checks.listForRef), which an App token can only call with checks:read. The least-privilege token mints granted contents/pull-requests/administration/ workflows/issues but not checks, so /merge failed with "Resource not accessible by integration" and the continue-on-error auto-merge paths silently never completed.

Add permission-checks: read to every mint step that precedes an ff-merge call, in both merge.yaml and dependabot-merge.yaml. The v1.1.0 callers were unaffected because they minted an unrestricted token that inherited the App's checks grant; the regression landed when v3.0.0 switched to the explicit allow-list and omitted it.

ff-merge verifies a PR's status rollup via the Checks API
(checks.listForRef), which an App token can only call with checks:read. The
least-privilege token mints granted contents/pull-requests/administration/
workflows/issues but not checks, so /merge failed with "Resource not accessible
by integration" and the continue-on-error auto-merge paths silently never
completed.

Add permission-checks: read to every mint step that precedes an ff-merge call,
in both merge.yaml and dependabot-merge.yaml. The v1.1.0 callers were unaffected
because they minted an unrestricted token that inherited the App's checks
grant; the regression landed when v3.0.0 switched to the explicit allow-list and
omitted it.

Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor

Note

Merging this PR: this repository merges by fast-forward so every
commit keeps its original signature. The GitHub merge button is not used.
Once this PR is approved and all checks pass, a maintainer merges it by
commenting /merge on the PR.

The branch must be up to date with main (rebased and re-signed) to
fast-forward. If /merge reports it is not fast-forwardable, rebase onto
main and comment /merge again.

@dmccaffery

Copy link
Copy Markdown
Collaborator Author

/auto-merge

@bitwise-fast-forward-merge bitwise-fast-forward-merge Bot added the auto-merge Fast-forward this PR once it is approved and all required checks pass label Jun 29, 2026
@bitwise-fast-forward-merge

Copy link
Copy Markdown
Contributor

Note

Auto-merge armed. Once this PR is approved and every required check
passes, it will be fast-forwarded into the base branch automatically,
preserving every commit signature.

Remove the auto-merge label to cancel. If the branch is not
fast-forwardable, rebase onto the base branch and re-sign — CI re-runs
and the merge retries.

@bitwise-fast-forward-merge

Copy link
Copy Markdown
Contributor

Cannot /merge this PR yet:

  • review decision is REVIEW_REQUIRED, need APPROVED
  • checks not passing: ci / coverage (pending), analyze / Analyze (actions) (pending)

@bitwise-fast-forward-merge

Copy link
Copy Markdown
Contributor

Cannot /merge this PR yet:

  • review decision is REVIEW_REQUIRED, need APPROVED
  • checks not passing: analyze / Analyze (actions) (pending)

@bitwise-fast-forward-merge

Copy link
Copy Markdown
Contributor

Cannot /merge this PR yet:

  • review decision is REVIEW_REQUIRED, need APPROVED

@bitwise-fast-forward-merge

Copy link
Copy Markdown
Contributor

Fast-forwarded main to 5a651ab63596 — original signature preserved, no re-sign.

@bitwise-fast-forward-merge bitwise-fast-forward-merge Bot merged commit 5a651ab into bitwise-media-group:main Jun 29, 2026
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

auto-merge Fast-forward this PR once it is approved and all required checks pass

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants