Skip to content

fix: recompile review workflow with gh-aw v0.68.3 for activation permissions#35161

Merged
PureWeen merged 1 commit into
mainfrom
feat/expert-review-workflow
Apr 27, 2026
Merged

fix: recompile review workflow with gh-aw v0.68.3 for activation permissions#35161
PureWeen merged 1 commit into
mainfrom
feat/expert-review-workflow

Conversation

@PureWeen
Copy link
Copy Markdown
Member

@PureWeen PureWeen commented Apr 27, 2026

Note

Are you waiting for the changes in this PR to be merged?
It would be very helpful if you could test the resulting artifacts from this PR and let us know in a comment if this change resolves your issue. Thank you!

Description

Recompiles review.agent.lock.yml with gh-aw v0.68.3 to fix 403 errors on /review slash command activation.

Problem

The lock file compiled with v0.71.0 (merged in #35111) was missing pull-requests: write on the activation job. When the workflow tried to add a 👀 reaction to a /review comment on a PR, it failed with:

POST /repos/dotnet/maui/issues/comments/{id}/reactions - 403 Resource not accessible by integration

GitHub requires pull-requests: write to add reactions to issue comments associated with PRs, even though the endpoint path is /issues/comments/.

Root Cause

Upstream compiler bug in gh-aw v0.69.3+ — the activation job permissions were scoped too tightly, stripping pull-requests: write for slash_command events on PR comments. Filed as github/gh-aw#28767.

Fix

Recompiled with gh-aw v0.68.3 (current default/recommended version), which correctly grants:

permissions:
  actions: read
  contents: read
  discussions: write
  issues: write
  pull-requests: write  # ← this was missing with v0.71.0

Testing

  • ✅ Tested on PureWeen/PolyPilot: v0.68.3 /review trigger succeeds, activation passes, agent runs
  • ❌ Confirmed v0.71.0 and v0.71.1 both fail with the same 403 error

@PureWeen
fix: recompile review workflow with gh-aw v0.68.3 for activation perm…
56155ce 
…issions

The review.agent.lock.yml compiled with v0.71.0 was missing
pull-requests:write on the activation job, causing 403 errors
when the workflow tried to add a 👀 reaction to /review comments.

This is an upstream compiler bug (github/gh-aw#28767) where
v0.69.3+ stripped pull-requests:write from activation jobs
triggered by slash_command on PR comments.

v0.68.3 is the current default/recommended version and correctly
grants the required permissions.

Tested: PolyPilot /review trigger succeeds with v0.68.3.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 27, 2026 17:20
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 27, 2026

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.sh | bash -s -- 35161

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.ps1) } 35161"

@PureWeen
Copy link
Copy Markdown
Member Author

PureWeen commented Apr 27, 2026

/review

Copilot AI reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Recompiles the gh-aw generated /review workflow lock file to restore the activation-job permissions needed to react to PR comments (fixing the 403 “Resource not accessible by integration” failure on /review).

Changes:

  • Recompiled .github/workflows/review.agent.lock.yml using gh-aw v0.68.3, updating the generated jobs/steps and restoring pull-requests: write on the activation job.
  • Updated .github/aw/actions-lock.json to reflect the newer github/gh-aw-actions/setup@v0.68.3 pin.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
.github/workflows/review.agent.lock.yml Recompiled workflow; updates activation permissions and regenerates gh-aw job/step templates under v0.68.3.
.github/aw/actions-lock.json Updates pinned gh-aw setup action version used by compilation outputs.

Comment thread .github/aw/actions-lock.json
Comment on lines +13 to +16
"github/gh-aw-actions/setup@v0.68.3": {
"repo": "github/gh-aw-actions/setup",
"version": "v0.62.1",
"sha": "95c4e2aa6adbdf63ff0b0fbf09945ad4f4716fea"
},
"github/gh-aw-actions/setup@v0.62.2": {
"repo": "github/gh-aw-actions/setup",
"version": "v0.62.2",
"sha": "20045bbd5ad2632b9809856c389708eab1bd16ef"
},
"github/gh-aw-actions/setup@v0.71.0": {
"repo": "github/gh-aw-actions/setup",
"version": "v0.71.0",
"sha": "49157453228f9641824955e35cbeccbca74ee0fd"
"version": "v0.68.3",
"sha": "ba90f2186d7ad780ec640f364005fa24e797b360"
Comment thread .github/workflows/review.agent.lock.yml
Comment on lines +1 to +2
# gh-aw-metadata: {"schema_version":"v3","frontmatter_hash":"82d8d133daf293c67e08d5c98b591c717b55d54b41fa74185de903df5cc9592f","compiler_version":"v0.68.3","strict":true,"agent_id":"copilot","agent_model":"claude-opus-4.6"}
# gh-aw-manifest: {"version":1,"secrets":["COPILOT_GITHUB_TOKEN","GH_AW_GITHUB_MCP_SERVER_TOKEN","GH_AW_GITHUB_TOKEN","GITHUB_TOKEN"],"actions":[{"repo":"actions/checkout","sha":"de0fac2e4500dabe0009e67214ff5f5447ce83dd","version":"v6.0.2"},{"repo":"actions/download-artifact","sha":"3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c","version":"v8.0.1"},{"repo":"actions/github-script","sha":"373c709c69115d41ff229c7e5df9f8788daa9553","version":"v9"},{"repo":"actions/github-script","sha":"3a2844b7e9c422d3c10d287c895573f7108da1b3","version":"v9"},{"repo":"actions/upload-artifact","sha":"043fb46d1a93c77aae656e7c1c64a875d1fc6a0a","version":"v7.0.1"},{"repo":"github/gh-aw-actions/setup","sha":"ba90f2186d7ad780ec640f364005fa24e797b360","version":"v0.68.3"}],"containers":[{"image":"ghcr.io/github/gh-aw-firewall/agent:0.25.20"},{"image":"ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20"},{"image":"ghcr.io/github/gh-aw-firewall/squid:0.25.20"},{"image":"ghcr.io/github/gh-aw-mcpg:v0.2.19"},{"image":"ghcr.io/github/github-mcp-server:v0.32.0"},{"image":"node:lts-alpine"}]}
Comment thread .github/workflows/review.agent.lock.yml
Comment on lines +46 to +51
# - ghcr.io/github/gh-aw-firewall/agent:0.25.20
# - ghcr.io/github/gh-aw-firewall/api-proxy:0.25.20
# - ghcr.io/github/gh-aw-firewall/squid:0.25.20
# - ghcr.io/github/gh-aw-mcpg:v0.2.19
# - ghcr.io/github/github-mcp-server:v0.32.0
# - node:lts-alpine
PureWeen added a commit to PureWeen/maui that referenced this pull request Apr 27, 2026
@PureWeen
test: add review workflow compiled with gh-aw v0.68.3
09778f3 
Validates fix for dotnet#35161 — recompiled activation job
has pull-requests:write for slash_command reactions.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@PureWeen PureWeen merged commit f203244 into main Apr 27, 2026
11 of 12 checks passed
@PureWeen PureWeen deleted the feat/expert-review-workflow branch April 27, 2026 18:31
@github-actions github-actions Bot added this to the .NET 10 SR7 milestone Apr 27, 2026
@github-actions github-actions Bot locked and limited conversation to collaborators May 28, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

.NET 10 SR7

Development

Successfully merging this pull request may close these issues.

2 participants

@PureWeen