Problem
All four scaffolded genesis workflows (genesis-evolver.yml, genesis-orchestrator.yml, genesis-events.yml, genesis-merge.yml) create GitHub App tokens via actions/create-github-app-token@v3 but omit permission-actions: read.
Project hit: the-gigi/butterfly
Symptom: Every gh run list call from inside an agent returns HTTP 403: Resource not accessible by integration. This means:
- The evolver cannot read failed workflow runs as signals (one of its primary data sources)
- The auto-merge workflow cannot verify CI status via API
Discovery: The evolver's scheduled review cycle tried to run gh run list --limit 20 and got 403 on every attempt.
Proposed fix
Add permission-actions: read to the actions/create-github-app-token@v3 step in all four genesis workflow templates:
- uses: actions/create-github-app-token@v3
id: app-token
with:
app-id: ${{ secrets.GENESIS_APP_ID }}
private-key: ${{ secrets.GENESIS_APP_PRIVATE_KEY }}
permission-contents: write
permission-issues: write
permission-pull-requests: write
permission-workflows: write
permission-actions: read # ADD THISThis is a minimal, safe change — read-only access to Actions is needed by any agent that monitors CI.
Problem
All four scaffolded genesis workflows (
genesis-evolver.yml,genesis-orchestrator.yml,genesis-events.yml,genesis-merge.yml) create GitHub App tokens viaactions/create-github-app-token@v3but omitpermission-actions: read.Project hit:
the-gigi/butterflySymptom: Every
gh run listcall from inside an agent returnsHTTP 403: Resource not accessible by integration. This means:Discovery: The evolver's scheduled review cycle tried to run
gh run list --limit 20and got 403 on every attempt.Proposed fix
Add
permission-actions: readto theactions/create-github-app-token@v3step in all four genesis workflow templates:This is a minimal, safe change — read-only access to Actions is needed by any agent that monitors CI.