I’ve been trying to set up a GitHub Actions workflow to label PRs using the
gh CLI command. It wasn’t reporting any errors, but failed to apply the label to the PR.
The same command worked fine locally, so I used the
DEBUG=api setting to compare the GraphQL requests and responses. Apart from the expected timestamp and ratelimit differences they were the same. The same requests are made, and they all pass with “200 OK”, but the mutation from the actions run had no effect.
Eventually I tracked it down to the permissions on the GITHUB_TOKEN. I was using:
permissions: pull-requests: write
Changing that to the following fixed the issue:
permissions: pull-requests: write contents: write
It seems that the GraphQL API has a hidden requirement for
contents: write permission, which isn’t reported as an error when missing.
It’d be helpful if this was reported as an error, or even better if the requirement for
contents: write could be removed.