From 9b8ac7e68360d5b75fea9fdb9b572549eb53b9aa Mon Sep 17 00:00:00 2001 From: Sam Crauwels Date: Sun, 19 Apr 2026 03:32:12 +0200 Subject: [PATCH] ci: grant consume workflow pull-requests scope The consume workflow has been failing on every run since it was added: removing a label from a PR needs pull-requests: write, not issues: write. The gh issue edit route worked against the Issues REST API because PRs share numbering, but authorization checked against the wrong scope and returned "Resource not accessible by integration". Swapping to gh pr edit with the correct permission fixes it. --- .github/workflows/consume_ci_run_label.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/consume_ci_run_label.yml b/.github/workflows/consume_ci_run_label.yml index 8c407c3..6864420 100644 --- a/.github/workflows/consume_ci_run_label.yml +++ b/.github/workflows/consume_ci_run_label.yml @@ -6,7 +6,7 @@ on: permissions: contents: read - issues: write + pull-requests: write jobs: consume: @@ -17,4 +17,4 @@ jobs: env: GH_TOKEN: ${{ github.token }} PR_NUMBER: ${{ github.event.pull_request.number }} - run: gh issue edit "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --remove-label "ci:run" + run: gh pr edit "$PR_NUMBER" --repo "$GITHUB_REPOSITORY" --remove-label "ci:run"