fix: add error handling for GITHUB_TOKEN permissions in pull request comments (#106)

joshjohanning · web-flow · commit 9f6a20aaed62 · 2025-11-07T14:18:30.000-06:00
diff --git a/__tests__/index.test.js b/__tests__/index.test.js
@@ -1511,4 +1511,53 @@ describe('Azure DevOps Commit Validator', () => {
       expect(commentCall.body).toContain('`AB#55555555` (in PR title/body)');
     });
   });
+
+  describe('GitHub token permissions', () => {
+    it('should provide helpful error message when GITHUB_TOKEN lacks pull-requests write permission', async () => {
+      // Mock PR data
+      mockContext.payload.pull_request = {
+        number: 123
+      };
+
+      // Mock commits without AB# pattern
+      mockOctokit.paginate.mockResolvedValueOnce([
+        {
+          sha: 'abc1234567890',
+          commit: { message: 'Fix bug without work item' }
+        }
+      ]);
+
+      // Mock listComments to succeed
+      mockOctokit.paginate.mockResolvedValueOnce([]);
+
+      // Mock createComment to fail with 403 permission error
+      const permissionError = new Error('Resource not accessible by integration');
+      permissionError.status = 403;
+      mockOctokit.rest.issues.createComment.mockRejectedValueOnce(permissionError);
+
+      // Mock inputs
+      mockGetInput.mockImplementation(input => {
+        const inputs = {
+          'check-commits': 'true',
+          'check-pull-request': 'false',
+          'fail-if-missing-workitem-commit-link': 'true',
+          'link-commits-to-pull-request': 'false',
+          'comment-on-failure': 'true',
+          'validate-work-item-exists': 'false',
+          'github-token': 'fake-token',
+          'azure-devops-token': '',
+          'azure-devops-organization': ''
+        };
+        return inputs[input] || '';
+      });
+
+      await run();
+
+      // Should set a helpful error message about missing permissions
+      expect(mockSetFailed).toHaveBeenCalledWith(expect.stringContaining('pull-requests: write'));
+      expect(mockSetFailed).toHaveBeenCalledWith(
+        expect.stringContaining('GITHUB_TOKEN does not have sufficient permissions')
+      );
+    });
+  });
 });
diff --git a/badges/coverage.svg b/badges/coverage.svg
@@ -1 +1 @@
-<svg xmlns="http://www.w3.org/2000/svg" width="98" height="20" role="img" aria-label="Coverage: 80%"><title>Coverage: 80%</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="98" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="63" height="20" fill="#333"/><rect x="63" width="35" height="20" fill="#a0a127"/><rect width="98" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="325" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="530">Coverage</text><text x="325" y="140" transform="scale(.1)" fill="#fff" textLength="530">Coverage</text><text aria-hidden="true" x="795" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="250">80%</text><text x="795" y="140" transform="scale(.1)" fill="#fff" textLength="250">80%</text></g></svg>
+<svg xmlns="http://www.w3.org/2000/svg" width="116" height="20" role="img" aria-label="Coverage: 79.93%"><title>Coverage: 79.93%</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="116" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="63" height="20" fill="#333"/><rect x="63" width="53" height="20" fill="#cba317"/><rect width="116" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="325" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="530">Coverage</text><text x="325" y="140" transform="scale(.1)" fill="#fff" textLength="530">Coverage</text><text aria-hidden="true" x="885" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="430">79.93%</text><text x="885" y="140" transform="scale(.1)" fill="#fff" textLength="430">79.93%</text></g></svg>
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "azure-devops-work-item-link-enforcer-and-linker",
-  "version": "3.0.0",
+  "version": "3.0.1",
   "private": true,
   "type": "module",
   "description": "GitHub Action to enforce that each commit in a pull request be linked to an Azure DevOps work item and automatically link the pull request to each work item ",
diff --git a/src/index.js b/src/index.js
@@ -509,34 +509,46 @@ async function addOrUpdateComment(octokit, context, pullNumber, commentBody, sea
   const commentExtra = `\n<details>\n<summary>Workflow run details</summary>\n\n[View workflow run](${context.payload.repository?.html_url}/actions/runs/${context.runId}) - _Last ran: ${currentDateTime} UTC_\n</details>`;
   const commentCombined = commentBody + commentExtra;
 
-  // Get all comments
-  const comments = await octokit.paginate(octokit.rest.issues.listComments, {
-    owner,
-    repo,
-    issue_number: pullNumber
-  });
-
-  // Find existing comment
-  const existingComment = comments.find(comment => comment.body?.includes(searchText));
-
-  if (existingComment) {
-    console.log(`Comment already exists: ${existingComment.id}`);
-    console.log('... attempting to update the PR comment');
-    await octokit.rest.issues.updateComment({
-      owner,
-      repo,
-      comment_id: existingComment.id,
-      body: commentCombined
-    });
-    console.log('... PR comment updated');
-  } else {
-    console.log('Comment does not exist. Posting a new comment.');
-    await octokit.rest.issues.createComment({
+  try {
+    // Get all comments
+    const comments = await octokit.paginate(octokit.rest.issues.listComments, {
       owner,
       repo,
-      issue_number: pullNumber,
-      body: commentCombined
+      issue_number: pullNumber
     });
+
+    // Find existing comment
+    const existingComment = comments.find(comment => comment.body?.includes(searchText));
+
+    if (existingComment) {
+      console.log(`Comment already exists: ${existingComment.id}`);
+      console.log('... attempting to update the PR comment');
+      await octokit.rest.issues.updateComment({
+        owner,
+        repo,
+        comment_id: existingComment.id,
+        body: commentCombined
+      });
+      console.log('... PR comment updated');
+    } else {
+      console.log('Comment does not exist. Posting a new comment.');
+      await octokit.rest.issues.createComment({
+        owner,
+        repo,
+        issue_number: pullNumber,
+        body: commentCombined
+      });
+    }
+  } catch (error) {
+    if (error.status === 403 && error.message.includes('Resource not accessible by integration')) {
+      core.setFailed(
+        'Unable to comment on pull request. The GITHUB_TOKEN does not have sufficient permissions. ' +
+          'Please add "pull-requests: write" permission to your workflow. ' +
+          'See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token'
+      );
+    } else {
+      throw error;
+    }
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "azure-devops-work-item-link-enforcer-and-linker",`
`3`		`- "version": "3.0.0",`
	`3`	`+ "version": "3.0.1",`
`4`	`4`	`"private": true,`
`5`	`5`	`"type": "module",`
`6`	`6`	`"description": "GitHub Action to enforce that each commit in a pull request be linked to an Azure DevOps work item and automatically link the pull request to each work item ",`