Skip to content

Handle GitHub Actions PR creation permission errors with auto-filed issues #11410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 7 commits into from
Jan 23, 2026
Merged

Handle GitHub Actions PR creation permission errors with auto-filed issues #11410

pelikhan merged 7 commits into from
Jan 23, 2026
+536 −12

Conversation

Copy link
Contributor

Copilot AI commented Jan 22, 2026
edited by agentic-workflows-dev bot
Loading

Plan: Add error handling for "GitHub actions is not permitted to create or approve pull requests"

Changes Completed

  • Understand the architecture (safe outputs, conclusion job, error_message pattern)
  • Modify create_pull_request.cjs to detect the specific permission error
  • Set an error_message output variable when this error occurs
  • Update conclusion job to detect and handle this error message by creating an issue
  • Format code and run unit tests
  • Build and recompile workflows
  • Fix inline script generation
  • Validate changes work correctly
  • Move JavaScript to separate file per reviewer feedback
  • Recompile all workflows to use new file-based handler

Files Modified

  1. /home/runner/work/gh-aw/gh-aw/actions/setup/js/create_pull_request.cjs - Added error detection and output
  2. /home/runner/work/gh-aw/gh-aw/actions/setup/js/handle_create_pr_error.cjs - NEW: Error handler script (automatically copied by setup.sh)
  3. /home/runner/work/gh-aw/gh-aw/pkg/workflow/create_pull_request.go - Added error_message output
  4. /home/runner/work/gh-aw/gh-aw/pkg/workflow/notify_comment.go - Updated to use require() pattern
  5. 24+ workflow .lock.yml files - Recompiled to use new handler

Implementation Details

When create_pull_request fails with permission error:

  1. JavaScript handler detects "GitHub Actions is not permitted to create or approve pull requests"
  2. Sets core.setOutput("error_message", ...) with helpful message and documentation link
  3. Conclusion job reads ${{ needs.create_pull_request.outputs.error_message }}
  4. Calls handle_create_pr_error.cjs using require() pattern (like other handlers)
  5. Creates or updates an issue with step-by-step instructions

Note on setup.sh

The setup.sh script in actions/setup/ automatically copies all .cjs files from actions/setup/js/ to /opt/gh-aw/actions/ at runtime, so no changes to setup.sh were needed.

Original prompt

Update the javascript safe output type handler for create-pull-request such that if the create pull request fails with "GitHub actions is not permitted to create or approve pull requests", register an error message as an output variable such that the conclusion job can file an issue stating the github actions need to be allowed to create pull requests in the repo (+ link to docs)

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Changeset

  • Type: patch
  • Description: Handle GitHub Actions PR creation permission errors by emitting an error_message output and adding an auto-filed issue handler with guidance and docs links when Actions cannot create or approve pull requests in the repository.

Ahoy! This treasure was crafted by 🏴‍☠️ Changeset Generator

Copilot AI and others added 3 commits January 22, 2026 23:39
@pelikhan
Initial plan for create-pull-request error handling
332f489 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Add error handling for create-pull-request permission error
139b73b 
- Modified create_pull_request.cjs to detect "GitHub Actions is not permitted to create or approve pull requests" error
- Set error_message output variable when permission error occurs
- Added error_message output to create_pull_request job definition
- Added conclusion job step to handle permission errors and create tracking issue
- Issue includes instructions and documentation link for enabling PR creation permission

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@pelikhan
Fix inline script for create PR error handling
026b1d9 
- Changed from file-based script to inline script in notify_comment.go
- Script is now properly embedded in the conclusion job step
- All unit tests related to my changes pass
- Note: Unrelated TestCodexEngineRenderMCPConfig failure exists in main

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update javascript safe output handler for create-pull-request Handle GitHub Actions PR creation permission errors with auto-filed issues Jan 22, 2026
Copilot AI requested a review from pelikhan January 22, 2026 23:59
@pelikhan
Copy link
Contributor

pelikhan commented Jan 23, 2026

@copilot move JavaScript to file in actions/setup/js , update setup.sh

This was referenced Jan 23, 2026
Merged
Closed
@pelikhan
Move JavaScript to separate file and use require pattern
d5525fe 
- Created handle_create_pr_error.cjs in actions/setup/js/
- Updated notify_comment.go to use require() instead of inline script
- Script is automatically copied by setup.sh to /opt/gh-aw/actions/
- Follows same pattern as other handlers like handle_agent_failure.cjs

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 23, 2026

@copilot move JavaScript to file in actions/setup/js , update setup.sh

Done in d5525fe. Created handle_create_pr_error.cjs in actions/setup/js/ and updated notify_comment.go to use the require() pattern. The setup.sh script automatically copies all .cjs files to /opt/gh-aw/actions/ at runtime.

@pelikhan
Copy link
Contributor

pelikhan commented Jan 23, 2026

Recompile with @copilot.

@pelikhan
Recompile all workflows with new error handler
705b87e 
- All workflows with create-pull-request now use handle_create_pr_error.cjs
- Changed from inline script to require() pattern across all workflows
- 24 workflow lock files updated with the new handler

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Jan 23, 2026

Recompile with @copilot.

Done in 705b87e. Recompiled all 137 workflows - 24 workflows with create-pull-request now use the file-based handle_create_pr_error.cjs handler instead of inline scripts.

@pelikhan pelikhan added the smoke label Jan 23, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 23, 2026
edited
Loading

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions
Copy link
Contributor

github-actions bot commented Jan 23, 2026
edited
Loading

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

@github-actions
Copy link
Contributor

github-actions bot commented Jan 23, 2026

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

@github-actions
Copy link
Contributor

github-actions bot commented Jan 23, 2026
edited by agentic-workflows-dev bot
Loading

🎉 Yo ho ho! Changeset Generator found the treasure and completed successfully! ⚓💰

@github-actions
Copy link
Contributor

github-actions bot commented Jan 23, 2026

PR titles reviewed: Add discussion commenting to smoke workflows with explicit instructions, deprecate discussion flag
PR titles reviewed: Correct PR description: YAML context not shell injection in code scanning alert #538
GitHub MCP merged PRs ✅
SafeInputs gh pr list ✅
Serena activate_project ✅
Playwright github title ✅
Tavily search ✅
File write + bash cat ✅
Discussion query + comment ✅
Overall status: PASS

AI generated by Smoke Codex

@github-actions
Copy link
Contributor

github-actions bot commented Jan 23, 2026

🎮 GAME OVER? Not quite! The Copilot smoke test agent just popped in to say hi! 👾

We're testing all the things - GitHub MCP, Serena, Playwright, file I/O, bash tools, and of course... visiting your excellent Firewall Escape report!

Your sandbox security work is chef's kiss 🤌 - 40 techniques, 100% novelty, zero escapes. That's some serious defense-in-depth action right there!

Keep up the amazing security testing! 🛡️✨

Beep boop 🤖 - Smoke test agent signing off!

AI generated by Smoke Copilot

@github-actions
Copy link
Contributor

github-actions bot commented Jan 23, 2026

Smoke Test: Copilot - PASS ✅

Recent PRs tested:

Test Results:

Overall Status: PASS

cc @pelikhan

AI generated by Smoke Copilot

@github-actions github-actions bot mentioned this pull request Jan 23, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Jan 23, 2026

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions github-actions bot mentioned this pull request Jan 23, 2026
Closed
@github-actions
Copy link
Contributor

github-actions bot commented Jan 23, 2026

Smoke Test Results - Claude Engine

Overall Status: ✅ PASS

Test Result
GitHub MCP
Safe Inputs GH CLI
Serena MCP
Playwright
Tavily
File Writing
Bash Tool
Discussion Interaction

PRs Retrieved:

Run: §21271981674

AI generated by Smoke Claude

@pelikhan pelikhan marked this pull request as ready for review January 23, 2026 02:28
@pelikhan pelikhan merged commit c495d9a into main Jan 23, 2026
83 checks passed
@pelikhan pelikhan deleted the copilot/update-js-safe-output-handler branch January 23, 2026 02:28
This was referenced Jan 23, 2026
Closed
Merged
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

smoke smoke-claude smoke-codex smoke-copilot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pelikhan