Permissions issue: adding labels to PR fails silently

I’ve been trying to set up a GitHub Actions workflow to label PRs using the gh CLI command. It wasn’t reporting any errors, but failed to apply the label to the PR.

The same command worked fine locally, so I used the DEBUG=api setting to compare the GraphQL requests and responses. Apart from the expected timestamp and ratelimit differences they were the same. The same requests are made, and they all pass with “200 OK”, but the mutation from the actions run had no effect.

Eventually I tracked it down to the permissions on the GITHUB_TOKEN. I was using:

    permissions:
      pull-requests: write

Changing that to the following fixed the issue:

    permissions:
      pull-requests: write
      contents: write

It seems that the GraphQL API has a hidden requirement for contents: write permission, which isn’t reported as an error when missing.

It’d be helpful if this was reported as an error, or even better if the requirement for contents: write could be removed.