Fix add-comment and hide-comment to use issues:write instead of pull_requests:write

[Copilot]

Fix add-comment and hide-comment permissions

Issue

The add-comment and hide-comment safe outputs incorrectly required pull_requests: write permission when they only need issues: write. PR comments are actually issue comments under the hood in GitHub's API.

Changes Made

• Updated add_comment.go - Use NewPermissionsContentsReadIssuesWrite() when discussions are disabled
• Updated safe_outputs_permissions.go - Applied same fix for both add-comment and hide-comment
• Updated safe_outputs_permissions_test.go - Removed pull_requests: write from expected permissions
• Updated notify_comment_test.go - Removed pull-requests: write expectation for add-comment
• Updated compiler_safe_outputs_job_test.go - Removed pull-requests: write from add-comment and multiple safe output test cases

Original prompt

---

This section details on the original issue you should resolve

<issue_title>add-comment doesn't actually require pull_requests: write</issue_title>
<issue_description>When using the add-comment safe output, the compiler adds pull_requests: write to the required workflow permissions.

On GitHub you don't actually need pull_requests: write to add a comment to a pull request, just issues: write.

issues: write — lets you add regular comments on a PR (the main conversation thread), since those are issue comments under the hood

pull_requests: write — needed for PR-specific actions like creating review comments (inline code comments), submitting reviews, updating the PR branch, etc.</issue_description>

<agent_instructions>Add test for this case to prevent regression.</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes add-comment doesn't actually require pull_requests: write #16673

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

---

Fix add-comment and hide-comment to use issues:write instead of pull_requests:write

Fix add-comment and hide-comment permissions

Issue

The add-comment and hide-comment safe outputs incorrectly required pull_requests: write permission when they only need issues: write. PR comments are actually issue comments under the hood in GitHub's API.

Changes Made

• Updated add_comment.go - Use NewPermissionsContentsReadIssuesWrite() when discussions are disabled
• Updated safe_outputs_permissions.go - Applied same fix for both add-comment and hide-comment
• Updated safe_outputs_permissions_test.go - Removed pull_requests: write from expected permissions
• Updated notify_comment_test.go - Removed pull-requests: write expectation for add-comment
• Updated compiler_safe_outputs_job_test.go - Removed pull-requests: write from add-comment and multiple safe output test cases

Original prompt

---

This section details on the original issue you should resolve

(issue_title)add-comment doesn't actually require pull_requests: write(/issue_title)
(issue_description)When using the add-comment safe output, the compiler adds pull_requests: write to the required workflow permissions.

On GitHub you don't actually need pull_requests: write to add a comment to a pull request, just issues: write.

issues: write — lets you add regular comments on a PR (the main conversation thread), since those are issue comments under the hood

pull_requests: write — needed for PR-specific actions like creating review comments (inline code comments), submitting reviews, updating the PR branch, etc.(/issue_description)

(agent_instructions)Add test for this case to prevent regression.(/agent_instructions)

Comments on the Issue (you are @copilot in this section)

(comments)
(/comments)

• Fixes add-comment doesn't actually require pull_requests: write #16673

Changeset

• Type: patch
• Description: Fix add-comment and hide-comment safe outputs to request issues:write instead of pull_requests:write.

Generated by Changeset Generator

---

---

✨ PR Review Safe Output Test - Run 22164908321

💥 [THE END] — Illustrated by Smoke Claude

[Copilot]

Pull request overview

This PR fixes a permissions issue where add-comment and hide-comment safe outputs incorrectly requested pull_requests: write permission. Since PR comments are issue comments in GitHub's API, only issues: write is required.

Changes:

• Updated permission computation for add-comment and hide-comment to use issues: write instead of pull_requests: write when discussions: false
• Added explanatory comments clarifying that PR comments are issue comments
• Updated test expectations to reflect the corrected permission requirements

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
pkg/workflow/safe_outputs_permissions.go	Fixed permission computation for both add-comment and hide-comment to use NewPermissionsContentsReadIssuesWrite() when discussions are disabled
pkg/workflow/add_comment.go	Updated add-comment job builder to use correct permissions helper function
pkg/workflow/safe_outputs_permissions_test.go	Removed PermissionPullRequests: PermissionWrite from test expectations for add-comment and hide-comment

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[pelikhan]

@copilot fix test failures in https://github.com/github/gh-aw/actions/runs/22163965834/job/64087057491

[Copilot]

@copilot fix test failures in https://github.com/github/gh-aw/actions/runs/22163965834/job/64087057491

Fixed in commit 33201fe. Updated pkg/workflow/notify_comment_test.go to remove the check for pull-requests: write permission when add-comment is configured. The test now correctly expects only issues: write and discussions: write permissions.

[pelikhan]

@copilot:claude-sonnet-4.5 fix tests in https://github.com/github/gh-aw/actions/runs/22164300562/job/64088091764?pr=16687

[Copilot]

@pelikhan The model sweagent-capi is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: ab09b6c5-a9e7-4fd3-9fca-93b85efbd256

[pelikhan]

@copilot:claude-sonnet-4.5 fix tests in https://github.com/github/gh-aw/actions/runs/22164300562/job/64088091764?pr=16687

[Copilot]

@pelikhan The model sweagent-capi is not available for your account. This can happen if the model was disabled by your organization's policy or if your Copilot plan doesn't include access to it.

You can try again without specifying a model (just @copilot) to use the default, or choose a different model from the model picker.

If you want to contact GitHub about this error, please mention the following identifier so they can better serve you: a15cde3d-1f05-4988-88ef-c2aa15947b10

[pelikhan]

@copilot fix tests in https://github.com/github/gh-aw/actions/runs/22164300562/job/64088091764?pr=16687

[Copilot]

@copilot fix tests in https://github.com/github/gh-aw/actions/runs/22164300562/job/64088091764?pr=16687

Fixed in commit d1d759c. Updated pkg/workflow/compiler_safe_outputs_job_test.go to remove the pull-requests: write expectation for add-comment test cases. The test now correctly expects only issues: write and discussions: write permissions.

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

🧪 Smoke Project is now testing project operations...

[github-actions]

🧪 Smoke Temporary ID is now testing temporary ID functionality...

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

✅ Smoke Project completed successfully. All project operations validated.

[github-actions]

Smoke test results:
PR: #16699 Remove GitHub API call from CLI initialization hot path
PR: #16690 Add blocked pattern matching for add-labels and remove-labels
GitHub MCP: ✅
Serena MCP (activate + find_symbol): ✅
Playwright (title contains GitHub): ✅
File write: ✅
Bash cat: ✅
Build (make build): ✅
Overall: PASS

🔮 The oracle has spoken through Smoke Codex for issue #16687

[github-actions]

Smoke test results for @app/copilot-swe-agent:

Test
GitHub MCP	✅
safeinputs-gh	✅
Playwright	✅
File write/read	✅
Discussion comment	✅
Build	✅
Create discussion	✅
Haiku dispatch	✅
PR review	✅

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot for issue #16687

[github-actions]

This PR correctly removes pull-requests: write from add-comment and hide-comment safe-output jobs. These operations only need issues: write — good least-privilege fix applied consistently across all affected workflow files.

📰 BREAKING: Report filed by Smoke Copilot for issue #16687

[github-actions]

✅ Good fix — add_comment and hide_comment operations only require issues:write, not pull_requests:write. Removing the overly-broad permission follows the principle of least privilege.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

Smoke Test Results - Run §22164908321

Core Tests: ✅ #1 GitHub MCP | ✅ #2 GH CLI | ✅ #3 Serena | ✅ #4 Make Build | ✅ #5 Playwright | ✅ #6 Tavily | ✅ #7 File Write | ✅ #8 Bash | ✅ #9 Discussion | ✅ #10 Agentic Workflows

PR Review Tests: ✅ #11 Update PR | ✅ #12 Review Comments | ✅ #13 Submit Review | ✅ #14 Resolve Thread | ✅ #15 Add Reviewer | ❌ #16 Push to Branch (git identity not configured) | ⚠️ #17 Close PR (skipped)

Overall: PARTIAL

💥 [THE END] — Illustrated by Smoke Claude for issue #16687

[github-actions]

💥 Automated smoke test review - all systems nominal!

💥 [THE END] — Illustrated by Smoke Claude for issue #16687