fix: add missing GITHUB_TOKEN permissions to CI workflows

[marcusquinn]

Summary

• Add issues: write and contents: read to the label-pr job in issue-sync.yml — fixes addLabelsToLabelable: Resource not accessible by integration when applying conventional-commit labels to PRs
• Add issues: read and contents: read to the check-issue-link job in issue-sync.yml — fixes HttpError: Resource not accessible by integration when searching for linked issues
• Add issues: write to the code-review-monitoring job in code-review-monitoring.yml — fixes comment posting via github.rest.issues.createComment (PR comments use the issues API)

Root Cause

GitHub Actions' GITHUB_TOKEN defaults to restrictive permissions when permissions: is declared at the job level. The label-pr job only declared pull-requests: write, but gh label create and the GraphQL addLabelsToLabelable mutation require issues: write. Similarly, check-issue-link uses gh issue list which needs issues: read, and code-review-monitoring posts PR comments via the issues API.

Evidence

• Run 22811519068 (batch4): Label step fails with addLabelsToLabelable: Resource not accessible by integration
• Run 22811526019 (batch1): Comment step fails with HttpError: Resource not accessible by integration

Closes #3836

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow permissions for internal automation processes.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 4a87b252-4f0a-43c5-b66b-2499b7b1b38a

📥 Commits

Reviewing files that changed from the base of the PR and between 339facd and 540d698.

📒 Files selected for processing (2)

• .github/workflows/code-review-monitoring.yml
• .github/workflows/issue-sync.yml

---

Walkthrough

Two GitHub Actions workflows receive permission updates: code-review-monitoring gains issues: write permission, while issue-sync gains contents: read and mixed issues permissions (read and write) across its jobs to resolve CI failures caused by insufficient token access.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Permissions .github/workflows/code-review-monitoring.yml, .github/workflows/issue-sync.yml	Added missing permissions (issues: write, contents: read) to CI workflow jobs to resolve Resource not accessible by integration errors preventing label application and PR commenting operations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• feat(sync): GHA workflow + PRD content rendering for issue-sync (t020) #543: Modifies .github/workflows/issue-sync.yml with similar permission updates for job access control.

Poem

✨ GitHub tokens were lacking the keys,
Permissions denied by default decree,
But now with issues: write in the air,
CI workflows bloom without a care! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main change: adding missing GITHUB_TOKEN permissions to CI workflows, which is the core objective.
Linked Issues check	✅ Passed	The PR successfully implements all coding requirements from issue #3836: adds issues:write to code-review-monitoring, and adds issues:write and issues:read to appropriate jobs in issue-sync.yml.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to resolving issue #3836: only workflow permission declarations are modified with no unrelated alterations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bugfix/ci-permissions

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 125 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sun Mar 8 01:54:40 UTC 2026: Code review monitoring started
Sun Mar 8 01:54:40 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 125

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 125
• VULNERABILITIES: 0

Generated on: Sun Mar 8 01:54:43 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[marcusquinn]

@coderabbitai review

Review bots were rate-limited when this PR was created (affected: coderabbitai gemini-code-assist). Requesting a review retry.

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[coderabbitai]

@marcusquinn: Kicking off the review now! I'll analyse the permission fixes across issue-sync.yml and code-review-monitoring.yml and report back shortly. 🚀

---

🧠 Learnings used

Learnt from: marcusquinn
Repo: marcusquinn/aidevops PR: 0
File: :0-0
Timestamp: 2026-03-03T16:33:18.313Z
Learning: For the marcusquinn/aidevops repository: The daily quality sweep system (pulse-wrapper.sh) should only mention coderabbitai for full codebase review when there are significant changes (Quality Gate failure, +10 issues in one day, etc.), not on every automated sweep with stable metrics.

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.