diff --git a/.github/workflows/ai-review.yml b/.github/workflows/ai-review.yml index 28b41d1f..ed6d044d 100644 --- a/.github/workflows/ai-review.yml +++ b/.github/workflows/ai-review.yml @@ -48,6 +48,7 @@ jobs: with: app-id: ${{ secrets.CCS_REVIEWER_APP_ID }} private-key: ${{ secrets.CCS_REVIEWER_PRIVATE_KEY }} + permission-issues: write - name: Post /review command to the PR uses: actions/github-script@v7 @@ -111,6 +112,9 @@ jobs: with: app-id: ${{ secrets.CCS_REVIEWER_APP_ID }} private-key: ${{ secrets.CCS_REVIEWER_PRIVATE_KEY }} + permission-issues: write + permission-pull-requests: write + permission-contents: read - name: Run PR-Agent uses: qodo-ai/pr-agent@v0.34 diff --git a/tests/unit/scripts/github/ai-review-workflow.test.ts b/tests/unit/scripts/github/ai-review-workflow.test.ts index 017112db..e454aea8 100644 --- a/tests/unit/scripts/github/ai-review-workflow.test.ts +++ b/tests/unit/scripts/github/ai-review-workflow.test.ts @@ -44,6 +44,9 @@ describe('PR-Agent review lane migration', () => { expect(workflow).toContain('CCS_REVIEWER_APP_ID'); expect(workflow).toContain('CCS_REVIEWER_PRIVATE_KEY'); expect(workflow).toContain('id: pr-agent-app-token'); + expect(workflow).toContain('permission-issues: write'); + expect(workflow).toContain('permission-pull-requests: write'); + expect(workflow).toContain('permission-contents: read'); expect(workflow).toContain('GITHUB_TOKEN: ${{ steps.pr-agent-app-token.outputs.token }}'); expect(workflow).not.toContain('GITHUB_TOKEN: ${{ github.token }}'); expect(workflow).not.toContain('uses: anthropics/claude-code-action@v1');