Skip to content

fix(settings): require only pull_requests:read for PR comment/label output#434

Merged
JSONbored merged 2 commits into
JSONbored:mainfrom
philluiz2323:fix/settings-preview-pr-read-overprivilege
Jun 6, 2026
Merged

fix(settings): require only pull_requests:read for PR comment/label output#434
JSONbored merged 2 commits into
JSONbored:mainfrom
philluiz2323:fix/settings-preview-pr-read-overprivilege

Conversation

@philluiz2323
Copy link
Copy Markdown
Contributor

@philluiz2323 philluiz2323 commented Jun 6, 2026

Summary

src/signals/settings-preview.ts contradicted itself on the GitHub App permissions a repo needs to publish PR comments/labels. Two PRs reached opposite conclusions and both merged:

The result was a live self-contradiction:

  • buildWarnings: "Comments and labels use GitHub Issues endpoints and require GitHub App permission Issues: write".
  • requiredInstallPermissions: listed pull_requests: write for comment/label, with a comment claiming it "matches REQUIRED_INSTALLATION_PERMISSIONS" -- which now reads pull_requests: read, making the comment provably false.
  • activeMissingPermissions: flagged a missing pull_requests permission as a comment/label blocker.

So the maintainer permission checklist (installPreview.permissions.required/.missing) told maintainers to grant pull_requests: write -- a scope the app never uses -- re-introducing exactly the overprivilege #427 removed, and disagreeing with the same preview's warning text and the app's declared baseline. Closes #433.

Scope

  • src/signals/settings-preview.ts:
    • requiredInstallPermissions -- keep pull_requests: read as the baseline (no write upgrade); comment/label outputs add issues: write (unchanged). Replaced the now-false "gated on the Pull requests permission (write)" comment.
    • activeMissingPermissions -- drop the missing.has("pull_requests") check for comment/label output; keep the issues/checks checks, mirroring buildWarnings.
    • The three permission helpers in this file now agree, matching REQUIRED_INSTALLATION_PERMISSIONS (pull_requests: read) and fix(github-app): avoid PR write overprivilege #427.
  • test/unit/settings-preview.test.ts:
    • Healthy comment/label preview now asserts pull_requests: read (was write).
    • Fail-on-revert: an installation missing pull_requests but with issues: write granted lists pull_requests: read (not write) in required and is not flagged as missing pull_requests for comment/label output.

Validation

  • npx tsc --noEmit -- clean.
  • npx vitest run test/unit/settings-preview.test.ts test/integration/api.test.ts -- 48/48 (the fix(github-app): avoid PR write overprivilege #427 assertions of pull_requests: read now pass alongside these).
  • Full suite -- 1158 passed, 1 skipped (excluding the two unparseable upstream test files and one unrelated mcp-cli timeout that passes in isolation).
  • Branch coverage at/above the 97% gate.

Safety

  • No response-shape change: installPreview.permissions keeps the same fields; only the (now correct) pull_requests level changes, and only for comment/label-output previews.
  • Strictly reduces the permission ask (least privilege): maintainers are no longer told to grant PR write the app does not use.
  • Aligns settings-preview with the app's actual baseline and with fix(github-app): avoid PR write overprivilege #427's stated decision.

Notes

This reverts the source change from #420, which had landed after #427 and reached the opposite conclusion on the same question; #427's overprivilege decision is the authoritative one.

@philluiz2323 philluiz2323 requested a review from JSONbored as a code owner June 6, 2026 00:38
@dosubot dosubot Bot added the size:S This PR changes 10-29 lines, ignoring generated files. label Jun 6, 2026
@github-actions github-actions Bot added the gittensor:bug Gittensor-scored bug fix label Jun 6, 2026
@gittensory
Copy link
Copy Markdown

gittensory Bot commented Jun 6, 2026
edited
Loading

Note

Gittensory Gate skipped

PR closed before full evaluation. No late first comment was created.

Signal Result Evidence Action
Gate result ⚠️ Skipped #434 is no longer open. No action.

Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.

@gittensory gittensory Bot added the gittensory:reviewed Gittensor contributor context label Jun 6, 2026
JSONbored
JSONbored approved these changes Jun 6, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@JSONbored JSONbored left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@philluiz2323 this is the right direction.

A few notes:

  • The preview now matches the intended app boundary: PR metadata is read, while comment/label output depends on Issues write.
  • The test update captures the exact permission split that regressed.
  • This resolves the #433 issue cleanly and avoids asking maintainers for broader PR-write scope than needed.
  • No code changes requested.

@dosubot dosubot Bot added the lgtm This PR has been approved by a maintainer label Jun 6, 2026
@JSONbored JSONbored merged commit 9ca54aa into JSONbored:main Jun 6, 2026
6 checks passed
@github-project-automation github-project-automation Bot moved this from Todo to Done in gittensory - v1 roadmap Jun 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JSONbored JSONbored JSONbored approved these changes

Assignees

@philluiz2323 philluiz2323

Labels

gittensor:bug Gittensor-scored bug fix gittensory:reviewed Gittensor contributor context lgtm This PR has been approved by a maintainer size:S This PR changes 10-29 lines, ignoring generated files.

Projects

gittensory - v1 roadmap
Status: Done

Milestone

No milestone

2 participants

@philluiz2323 @JSONbored