Skip to content

fix: Add contents:write to Comet CI for release asset uploads#239

Merged
jfversluis merged 1 commit into
mainfrom
fix/comet-release-permissions
May 6, 2026
Merged

fix: Add contents:write to Comet CI for release asset uploads#239
jfversluis merged 1 commit into
mainfrom
fix/comet-release-permissions

Conversation

@jfversluis

Copy link
Copy Markdown
Member

Release asset uploads fail with 403 because the workflow lacks contents: write permission.

Copilot AI review requested due to automatic review settings May 6, 2026 11:59
@jfversluis

Copy link
Copy Markdown
Member Author

@copilot rebase this PR

Copilot AI commented May 6, 2026

Copy link
Copy Markdown
Contributor

@copilot rebase this PR

Done — rebased onto origin/main (commit 3a4b736). The already-merged fork-PR-fix commit was dropped automatically.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates GitHub Actions workflows to address permission-related 403 failures during GitHub release asset uploads and to avoid failing commit-status posting on fork PRs.

Changes:

  • Grants the Comet CI workflow contents: write permissions so gh release upload can attach .nupkg assets to published releases.
  • Skips the “Post evaluation commit status” step in the skill evaluation workflow when the PR comes from a fork (where GITHUB_TOKEN cannot write commit statuses).

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

File Description
.github/workflows/skill-evaluation.yml Adds a fork-PR guard to avoid 403s when attempting to write commit statuses.
.github/workflows/ci-comet.yml Adds contents: write permissions to enable release asset uploads from the workflow.

Comment thread .github/workflows/skill-evaluation.yml
Comment thread .github/workflows/ci-comet.yml Outdated
@github-actions

github-actions Bot commented May 6, 2026

Copy link
Copy Markdown
Contributor

Expert Code Review — PR #239

Methodology: 3 independent reviewers with adversarial consensus

Result: 2 findings posted as inline comments (2 moderate)

CI Status

Check Status
pr-status ✅ success
check ✅ success
license/cla ✅ success
build (macOS) 🔄 in progress
build (Windows) 🔄 in progress

Test Coverage

This PR modifies only GitHub Actions workflow YAML files — no application code or tests are affected. No test changes are needed.

Discarded Findings

The following were flagged by a single reviewer but did not reach consensus:

  • skill-evaluation.yml:80 — Cosmetic env/run key reordering (1/3, observation only — reviewer explicitly noted no functional impact)
  • ci-comet.yml:55package job runs on all triggers unnecessarily (1/3, outside diff, 🟢 minor pre-existing issue)

Generated by Expert Code Review · 3 independent reviewers with adversarial consensus

Generated by Expert Code Review (auto) for issue #239 · ● 3.8M ·

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Expert Code Review: 2 findings posted inline. See the lean summary comment for full details.

Generated by Expert Code Review (auto) for issue #239 · ● 3.8M

Comment thread .github/workflows/ci-comet.yml Outdated
Comment thread .github/workflows/skill-evaluation.yml
@jfversluis jfversluis force-pushed the fix/comet-release-permissions branch from 3a4b736 to 157ddf6 Compare May 6, 2026 12:10
Scoped to the package job only (least-privilege). Build job
retains default read-only permissions.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@jfversluis jfversluis force-pushed the fix/comet-release-permissions branch from 157ddf6 to 10d3a0a Compare May 6, 2026 12:14
@jfversluis jfversluis merged commit 5bb7adf into main May 6, 2026
1 check passed
@jfversluis jfversluis deleted the fix/comet-release-permissions branch May 6, 2026 12:15
Copilot AI pushed a commit that referenced this pull request May 12, 2026
…239)

Scoped to the package job only (least-privilege). Build job
retains default read-only permissions.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: jfversluis <939291+jfversluis@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants