Use fresh GitHub token permissions for action installs

[ralyodio]

• Inspect review threads that mention @copilot and identify required code updates
• Run existing lint/build/tests for the touched area, then apply minimal code changes
• Re-run targeted validation, run parallel validation, and reply to addressed review comments

[github-actions]

vu1nz Security Review

0 finding(s) in PR #?

No security issues found.

[greptile-apps]

Greptile Summary

This PR addresses a previously flagged issue where the Supabase update call to persist refreshed GitHub installation permissions had no error handling, silently continuing with potentially stale data on failure.

• DB update observability: The update result is now destructured and, if an error is present, logged via console.error with structured context (installationId, githubInstallationId, error). The operation remains non-fatal, which is correct since the permissions check already prefers fresh token data via hasFreshWorkflowWrite.

Confidence Score: 5/5

Safe to merge — the change is a minimal, non-functional addition of error logging for an already-observed failure path.

The only change is wrapping the Supabase update in proper error destructuring and logging when it fails. The install flow is unaffected because the permissions check already uses fresh token data directly, making the DB update non-critical. No new code paths, no altered logic, no security surface changes.

No files require special attention.

Important Files Changed

Filename	Overview
sites/sh1pt.com/app/api/v1/github/installations/[id]/repos/[repoId]/actions/[actionId]/install/route.ts	Adds error inspection and structured logging for the Supabase permissions-update call; no functional logic changes, no new issues introduced.

Sequence Diagram

sequenceDiagram
    participant Client
    participant Route as install/route.ts
    participant GH as GitHub App API
    participant DB as Supabase (github_installations)
    participant Git as GitHub Repo API

    Client->>Route: POST /install
    Route->>Route: authorizeInstallation(id)
    Route->>Route: loadBuiltinPacks + renderPack
    Route->>GH: mintInstallationToken(installationId)
    GH-->>Route: "{ token, permissions }"
    alt permissions present
        Route->>DB: "UPDATE permissions WHERE id = installation.id"
        DB-->>Route: "{ error: updateError }"
        alt updateError
            Route->>Route: console.error (log only, non-fatal)
        end
    end
    Route->>Route: hasFreshWorkflowWrite(token.permissions, stored.permissions)
    alt missing workflows:write
        Route-->>Client: 403 Forbidden
    else
        Route->>Git: openPackPullRequest(token)
        Git-->>Route: outcome
        Route-->>Client: 200 / 4xx / 5xx
    end

Loading

_{Reviews (3): Last reviewed commit: "Merge origin/master into fix/use-fresh-g..." | Re-trigger Greptile}

[Copilot]

Pull request overview

This PR updates the GitHub Action install API route to validate required GitHub App permissions using the freshly-minted installation token’s reported permissions (and persists those permissions), instead of relying solely on potentially stale permissions stored in the database.

Changes:

• Move the workflow-write permission gate to run after minting an installation token, using the token’s permissions as the primary source.
• Persist the latest installation token permissions back into github_installations.
• Introduce a helper (hasFreshWorkflowWrite) to prefer token permissions with a fallback to stored permissions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ralyodio]

@copilot resolve the merge conflicts in this pull request

[Copilot]

@copilot resolve the merge conflicts in this pull request

Resolved in ee7f717.