Skip to content

[Code Quality] Fix campaign label permissions for update_project handler #12172

New issue
New issue
Closed as not planned
Closed as not planned
[Code Quality] Fix campaign label permissions for update_project handler#12172
Assignees
pelikhancopilot-swe-agent
Labels
automationbugSomething isn't workingcode-qualitycookieIssue Monster Loves Cookies!safe-outputstask-mining
@github-actions

Description

@github-actions
github-actions
bot
opened on Jan 28, 2026

Description

The safe output update_project handler is failing to add campaign labels to issues due to insufficient GitHub token permissions. This results in warnings appearing in workflow logs and affects issue organization and campaign tracking.

Current Issue

Warning message appearing in logs:

##[warning]Failed to add campaign label: Resource not accessible by personal access token

Root Cause:
The GitHub personal access token lacks the necessary permissions to add labels to issues. The update_project handler attempts to add campaign labels as part of project updates, but this operation fails silently with a warning.

Impact

  • Campaign labels are not being added to issues during project updates
  • Issue organization and campaign tracking is incomplete
  • Safe output processing continues successfully (non-blocking warning)
  • Affects the Security Alert Burndown workflow and similar workflows

Suggested Solutions

Option A: Update Token Permissions (Recommended)

Update the workflow permissions to include label management:

permissions:
  issues: write
  projects: write
  contents: read

Option B: Graceful Degradation

Modify the safe output handler to catch permission errors gracefully:

try {
  await addCampaignLabel(issue);
} catch (error) {
  if (error.message.includes('Resource not accessible')) {
    core.info('Skipping campaign label - insufficient permissions');
  } else {
    throw error;
  }
}

Files Affected

  • Workflow YAML files using update_project safe output (e.g., Security Alert Burndown)
  • OR: pkg/workflow/js/safe_outputs_handlers.cjs (if implementing graceful degradation)

Success Criteria

  • Campaign labels are successfully added to issues during project updates
  • OR: Handler gracefully skips label addition with informative logging
  • No warnings appear in safe output job logs for label operations
  • Project updates continue to succeed regardless of label operation outcome

Affected Workflows

  • Security Alert Burndown (workflow_dispatch event)
  • Any workflow using update_project safe output that needs campaign labels

Source

Extracted from Safe Output Health Report discussion #12131

Priority

Medium - Prevents proper campaign tracking but doesn't block workflow execution.

Affected Run

AI generated by Discussion Task Miner - Code Quality Improvement Agent

  • expires on Feb 11, 2026, 5:10 AM UTC

Metadata

Metadata

Assignees

Labels

automationbugSomething isn't workingcode-qualitycookieIssue Monster Loves Cookies!safe-outputstask-mining

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions