fix: add missing issues:write permission for PR autolabeler#20
Conversation
The reusable workflow (commit-check/.github/.github/workflows/pr-labeler.yml)
requires 'issues: write' permission because the release-drafter autolabeler
uses the Issues API to set labels on PRs.
When a caller invokes a reusable workflow with 'permissions: {}' at the top
level and only 'pull-requests: write' + 'contents: read' at the job level,
'issues' defaults to 'none'. The reusable workflow cannot escalate its
permissions beyond what the caller grants, causing a startup_failure.
This adds 'issues: write' to the caller job-level permissions so the
reusable workflow's GITHUB_TOKEN can create PR labels.
|
Warning Review limit reached
Next review available in: 20 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #20 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 2 2
Lines 209 209
=========================================
Hits 209 209 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Problem
Since the refactoring to use a reusable workflow from
commit-check/.github(commit 6e3b539), everypull_requestevent fails withstartup_failureon the labeler workflow (PRs #17, #18, #19, etc.).Root Cause
The caller workflow (
labeler.yml) sets:permissions: {}at the top level → all permissions default tononepermissions: { pull-requests: write, contents: read }at the job level →issuesstays atnoneBut the reusable workflow (
commit-check/.github/.github/workflows/pr-labeler.yml) requestsissues: writebecause therelease-drafter/autolabeleruses the Issues API to set PR labels.When a reusable workflow requests permissions that exceed what the caller grants, GitHub Actions rejects the run at startup (
startup_failure).The
release-drafter.ymlworks fine because its reusable workflow only requestscontents: write+pull-requests: write— noissues: write.Fix
Add
issues: writeto the job-level permissions inlabeler.ymlso the reusable workflow receives aGITHUB_TOKENwith sufficient scope.Verification
Run a
pull_requestevent on this branch to confirm the autolabeler starts correctly.