Skip to content

[Code Quality] Add pre-flight token permission validation for safe output operations #12676

New issue
New issue
Open
Open
[Code Quality] Add pre-flight token permission validation for safe output operations#12676
Assignees
pelikhancopilot-swe-agent
Labels
automationcode-qualitycookieIssue Monster Loves Cookies!enhancementNew feature or requestsafe-outputstask-mining
@github-actions

Description

@github-actions
github-actions
bot
opened on Jan 30, 2026

Description

Safe output operations currently fail silently when GitHub tokens lack required permissions (e.g., issues: write for adding labels). Operations continue with warnings, but users don't get clear feedback about missing permissions until after execution begins. This leads to degraded functionality without clear root cause indication.

Problem

Current Behavior:

  • Safe output handler attempts operations
  • Permission failures result in warnings: ##[warning]Failed to add campaign label: Resource not accessible by personal access token
  • Operations complete "successfully" but with reduced functionality
  • Users must dig through logs to find permission issues

Example from Production:

  • 10 occurrences of campaign label permission failures in run §21496931510
  • Token GH_AW_PROJECT_GITHUB_TOKEN lacks issues: write permission
  • All update_project operations degraded silently

Impact

  • User Experience: Confusing silent failures
  • Debugging Time: Must read logs to identify permission issues
  • Operational Quality: Features disabled without clear indication
  • Error Messages: Not actionable until after partial execution

Suggested Changes

Add pre-flight permission validation in safe output handler manager:

Implementation Approach:

  1. Query GitHub API for token scopes/permissions before execution
  2. Compare against required permissions for planned operations
  3. Fail fast with clear error if permissions are insufficient
  4. Warn if optional permissions are missing (e.g., label management)

Required Permissions Map:

  • create_issue: issues: write
  • add_comment: issues: write or pull_requests: write
  • update_project: project: write, optionally issues: write for labels
  • create_pull_request: pull_requests: write, contents: write

Files Affected

Primary implementation:

  • actions/setup/js/safe_output_manager.cjs (or equivalent handler manager)
  • Add validatePermissions() function to check token scopes

Success Criteria

  • Pre-flight permission check queries token scopes via GitHub API
  • Clear error message if required permissions are missing
  • Warning (not error) if optional permissions are missing
  • Error message includes remediation steps (which scopes to add)
  • Unit tests cover permission validation logic
  • Integration test with token that lacks permissions

Source

Extracted from Safe Output Health Report - 2026-01-29

Finding: Error Cluster #1 - Campaign Label Permission Errors (10 occurrences)

Priority

Medium - Improves user experience and debuggability significantly, but current graceful degradation prevents critical failures.

Estimated Effort

2-4 hours (implementation + testing)

AI generated by Discussion Task Miner - Code Quality Improvement Agent

  • expires on Feb 13, 2026, 5:22 AM UTC

Metadata

Metadata

Assignees

Labels

automationcode-qualitycookieIssue Monster Loves Cookies!enhancementNew feature or requestsafe-outputstask-mining

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions