What happens
Review agent runs complete successfully, but post-review.sh fails to submit the formal GitHub review with:
Error: submitting review: create pull request review on #NNNN: github api: 422 Unprocessable Entity
This occurs when the PR author matches the GitHub Actions workflow identity. The agent completes all analysis, posts/updates comments, and minimizes stale reviews, but fails at final review submission.
Example failures across 9 days:
Root cause
PR #2389 moved token minting from workflows into the fullsend binary for sandbox use, removing REVIEW_TOKEN and REVIEW_GH_TOKEN from reusable-review.yml. However, post-review.sh still expects REVIEW_TOKEN:
# internal/scaffold/fullsend-repo/scripts/post-review.sh:21
: "${REVIEW_TOKEN:?REVIEW_TOKEN is required}"
When REVIEW_TOKEN is undefined, fullsend post-review falls back to GITHUB_TOKEN (default Actions token):
// internal/cli/postreview.go:65-66
if token == "" {
token = os.Getenv("GITHUB_TOKEN")
}
GitHub's default GITHUB_TOKEN is scoped to the workflow initiator. When the PR author matches the workflow identity, GitHub API rejects the review submission with 422 (authors cannot review their own PRs).
What should happen
post-review.sh should use a minted token with pull-requests:write permission, not the default GITHUB_TOKEN. The token minting added in PR #2389 for sandbox use needs to extend to post-script forge operations.
Context
What happens
Review agent runs complete successfully, but
post-review.shfails to submit the formal GitHub review with:This occurs when the PR author matches the GitHub Actions workflow identity. The agent completes all analysis, posts/updates comments, and minimizes stale reviews, but fails at final review submission.
Example failures across 9 days:
Root cause
PR #2389 moved token minting from workflows into the
fullsendbinary for sandbox use, removingREVIEW_TOKENandREVIEW_GH_TOKENfromreusable-review.yml. However,post-review.shstill expectsREVIEW_TOKEN:When
REVIEW_TOKENis undefined,fullsend post-reviewfalls back toGITHUB_TOKEN(default Actions token):GitHub's default
GITHUB_TOKENis scoped to the workflow initiator. When the PR author matches the workflow identity, GitHub API rejects the review submission with 422 (authors cannot review their own PRs).What should happen
post-review.shshould use a minted token withpull-requests:writepermission, not the defaultGITHUB_TOKEN. The token minting added in PR #2389 for sandbox use needs to extend to post-script forge operations.Context