Fix /review trigger lock label permissions#35829
Conversation
Allow the normal /review trigger job to use the same pull request write scope as the rerun job so it can apply the in-progress lock label before dispatching AzDO. Also surface the gh api error from label add failures so future permission regressions are diagnosable. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.sh | bash -s -- 35829Or
iex "& { $(irm https://raw.githubusercontent.com/dotnet/maui/main/eng/scripts/get-maui-pr.ps1) } 35829" |
github-actions
Bot
added
the
area-infrastructure
PureWeen
left a comment
PureWeen
left a comment
There was a problem hiding this comment.
Adversarial code review — 3 independent reviewers in parallel, with consensus and empirical fact-checking of disputed claims.
Verdict
The PR does what it says: brings trigger-review's pull-requests: scope into parity with mark-rerun-ready so the Set review in-progress lock step can apply s/agent-review-in-progress, and surfaces the actual gh api failure body instead of returning a generic boolean. Permission change is correct (label endpoints on PRs require pull-requests: write; issues: write alone is not enough for PRs) and remains gated by the existing actor permission check (write/maintain/admin only on issue_comment).
One Update-AgentLabels.ps1:143. It's a small bug in the new code that partially defeats the stated goal of logging the real gh api response; fixable in one line by switching to Out-String.
Findings
⚠️ Error Handling —Update-AgentLabels.ps1:143—[string]cast on stderrErrorRecordinjectsSystem.Management.Automation.RemoteExceptionfor blank stderr lines. Empirically verified locally with a 3-line stderr repro. 1/3 reviewers; included because the claim was confirmed by direct test (per skill rule 3d).
No ❌ blocking issues found.
Discarded (1/3, not confirmed)
- 💡
Update-AgentLabels.ps1:147—Substring(0, 1000)could split a Unicode surrogate pair. Theoretical;gh apierror bodies are essentially always ASCII JSON. Discarded. - 💡
Update-AgentLabels.ps1:171(Remove-Label) — silent error swallowing remains. Out of scope for this PR (line not in diff). Discarded. - 💡
Update-AgentLabels.ps1:143(forward-looking) —gh --verbose/GH_DEBUGcould put auth headers into the error log. Not a defect today;gh apidoes not echoGH_TOKENin default failure output. Discarded.
Permission widening (security-sensitive)
Reviewed under the 2/3 consensus rule. All three reviewers concluded the widening is safe: the Check actor permission step (lines 156–167) rejects anyone without write/maintain/admin before any label operation runs, and the sibling mark-rerun-ready job already has pull-requests: write. No privilege escalation introduced. ✅
Test coverage
No Pester test directly exercises Add-Label, so the ErrorRecord issue above would not be caught by Invoke-Pester .github/scripts -CI. The functional behavior (return value contract) is unchanged for all ~10 callers — none of them parse stdout — so the silent-success path is fine.
Prior reviews / threads
No prior human reviews on this PR. One auto-generated bot comment (dogfood instructions). No unresolved threads.
Methodology: 3 independent reviewers with adversarial consensus. Disputed 1/3 finding above was promoted after empirical verification rather than follow-up vote, since the underlying PowerShell stream-merging behavior is deterministic and locally testable.
Preserve native stderr text from gh api failures, including blank lines, instead of casting ErrorRecord values to strings. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
PureWeen
left a comment
PureWeen
left a comment
There was a problem hiding this comment.
Adversarial code review — round 2 (3 independent reviewers in parallel).
Verdict
No new findings. The round-2 commit (8736cbd7) correctly addresses the prior ($output | Out-String).Trim() preserves native gh api stderr text — including blank lines — without injecting System.Management.Automation.RemoteException literals for empty ErrorRecords.
Empirically re-verified locally:
- Real 403 stderr (JSON body + blank line + HTTP summary) round-trips cleanly through
Out-String. Out-Stringon native command output via2>&1does not wrap at 80 columns (250-char line stays 250 chars).- Empty stderr →
IsNullOrWhiteSpacecorrectly triggers the"gh api exited with code N."fallback. - Boolean return contract preserved;
$LASTEXITCODEcaptured beforeOut-Stringruns.
Permission widening (pull-requests: read → write) remains correct and gated by the existing actor permission check — re-confirmed against GitHub's published Actions permission model (PR-targeted operations via the /issues/{n}/labels endpoint require the pull-requests scope; issues: write alone is not enough for PRs).
Clean to merge from a code-review standpoint, pending maintainer sign-off and CI.
Methodology: 3/3 reviewer consensus, multi-round self-correction rule applied — no reviewer found grounds to revert the round-2 change.
Note
Are you waiting for the changes in this PR to be merged?
It would be very helpful if you could test the resulting artifacts from this PR and let us know in a comment if this change resolves your issue. Thank you!
Summary
/reviewtrigger jobpull-requests: write, matching the rerun job, so it can apply thes/agent-review-in-progresslock label before dispatching the AzDO pipeline.gh apiresponse when adding a label fails, instead of suppressing stderr and returning only a generic failure.Why this broke
/review -b feature/enhanced-reviewerwas still parsed correctly; the failure was introduced by a default-branch workflow change. The last successful trigger on PR #33365 ran on workflow SHAc389325e, before theSet review in-progress lockstep existed. Aftermainmoved todd5b6d2, the normal/reviewpath started applyings/agent-review-in-progressbefore dispatching AzDO, but that job still only requestedpull-requests: read.The rerun path already requested
pull-requests: writeand could apply labels successfully. This PR aligns the normal/reviewpath with that permission so the lock label can be applied and the AzDO pipeline dispatch can proceed.Validation
git diff --check.github/workflows/review-trigger.ymlwith Ruby YAMLghsuccess/failure checks forAdd-LabelInvoke-Pester .github/scripts -CIInvoke-Pester .github/skills -CIFixes
/review -b feature/enhanced-reviewerfailing before AzDO dispatch atSet review in-progress lock.