[aw-failures] Fix Smoke Claude: safe_outputs job fails to resolve PR review threads — "Resource not accessible by integration"

[github-actions]

Problem Statement

The Smoke Claude workflow (test #16 — Resolve Review Thread) fails on every run because the safe_outputs job cannot execute resolveReviewThread via GitHub's GraphQL API. The agent queues this action successfully, but the safe_outputs processing step returns:

Resource not accessible by integration

This causes the entire workflow to exit as failure even though the Claude agent itself ran 18–19/19 tests successfully. This has been observed in at least two consecutive smoke batches today.

Affected Workflows and Run IDs

Run ID	Batch	Failing Step	Error
§25244096632	2026-05-02T04:49 UTC	safe_outputs / Message 6	Resource not accessible by integration
§25239718599	2026-05-02T01:00 UTC	safe_outputs / Message 10	Resource not accessible by integration

Root Cause Analysis

The safe_outputs job in smoke-claude.lock.yml declares:

permissions:
  contents: read
  discussions: write
  issues: write
  pull-requests: write
  security-events: write

Despite pull-requests: write being present, the GitHub GraphQL resolveReviewThread mutation fails. Possible causes:

1. GitHub App scope gap: The GitHub Actions GITHUB_TOKEN may require a separate pull_request_review write scope not covered by pull-requests: write.
2. Thread state mismatch: The target thread (e.g., PRRT_kwDOPc1QR85_F5F0) may already be resolved by a prior run, causing a permission-like error on re-resolve.
3. Safe outputs MCP reporting: The agent sees success (queued) but the actual execution in the GitHub Actions step fails — the smoke test's assertion of ✅ for test Update default model in Codex engine to o4-mini and adjust test expectations #16 is misleading.

Proposed Remediation

At least one of:

1. Investigate token scope: Add explicit pull_request_reviews: write if available, or open a GitHub support issue to clarify whether pull-requests: write should cover resolveReviewThread.
2. Make test Update default model in Codex engine to o4-mini and adjust test expectations #16 resilient: Change the smoke test prompt to treat a failed resolve as a warning (⚠️) rather than queuing it as a hard safe output — use noop or separate it from the safe_outputs flow.
3. Deduplicate thread ID: If the same thread is being targeted across runs, the smoke test should create a fresh review thread per run and track its ID explicitly.

Success Criteria

• Smoke Claude runs complete with safe_outputs job success
• Test Update default model in Codex engine to o4-mini and adjust test expectations #16 (Resolve Review Thread) either passes consistently or is gracefully downgraded to a non-fatal warning
• No recurrence of Resource not accessible by integration in smoke-claude safe_outputs logs

References

• Parent cluster: [aw-failures] Smoke CI failure cluster 2026-05-02: 4 failures — Crush EROFS, Gemini API key, safe_outputs permissions #29665
• Related P0 sub-issues: [aw-failures] P0: Smoke CI agent crashes — Crush EROFS install failure & Gemini API key invalid #29666 (Crush EROFS + Gemini API key)

References:

• §25244096632
• §25239718599

Generated by [aw] Failure Investigator (6h) · ● 498.4K · ◷

• expires on May 9, 2026, 7:28 AM UTC