From f406e23f75814754ee652da59ced882eea53cd4f Mon Sep 17 00:00:00 2001 From: Florent Sorel Date: Fri, 19 Jun 2026 09:13:53 +0200 Subject: [PATCH 1/2] fix(closed): grant pull-requests write to CommentSubPRs job MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Le job « Comment rebase --onto on Sub PRs » (action after-pr-merged) tourne sans bloc permissions:. Quand le GITHUB_TOKEN par defaut est rabote au niveau org, le tout premier appel (pulls.get) renvoie 403 « Resource not accessible by integration » et le job echoue sur chaque PR mergee — CI rouge cosmetique post-merge + le memo « rebase --onto » n'est jamais poste sur les sous-PR. On accorde explicitement les scopes minimaux dont l'action a besoin : pull-requests:write (pulls.get/list + creation/maj du commentaire sur les sous-PR) et contents:read. Independant de la permission par defaut de l'org. Co-Authored-By: Claude Opus 4.8 (1M context) --- sample/workflows/closed.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sample/workflows/closed.yml b/sample/workflows/closed.yml index 1577bfe9..b4427fc6 100644 --- a/sample/workflows/closed.yml +++ b/sample/workflows/closed.yml @@ -28,6 +28,9 @@ jobs: name: "Comment rebase --onto on Sub PRs" runs-on: ubuntu-slim timeout-minutes: 2 + permissions: + contents: read + pull-requests: write steps: - uses: mobsuccess-devops/github-actions-mobsuccess@master with: From 16cfa28496156591fbf009aec9cc52560e4976bd Mon Sep 17 00:00:00 2001 From: Florent Sorel Date: Fri, 19 Jun 2026 09:19:49 +0200 Subject: [PATCH 2/2] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- sample/workflows/closed.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sample/workflows/closed.yml b/sample/workflows/closed.yml index b4427fc6..65727d1e 100644 --- a/sample/workflows/closed.yml +++ b/sample/workflows/closed.yml @@ -30,7 +30,8 @@ jobs: timeout-minutes: 2 permissions: contents: read - pull-requests: write + pull-requests: read + issues: write steps: - uses: mobsuccess-devops/github-actions-mobsuccess@master with: