Skip to content

ci-pr-health.yml failing daily: cleanup-labels gets 403 on PR labels (needs pull-requests: write) #4887

Description

@claude

Symptom

.github/workflows/ci-pr-health.yml has failed on every run since at least 2026-04-22 (today is 2026-05-11). Each failure auto-files a fresh "System wellness check failing" ticket — recent: QUA-1119 (2026-05-10), #4544, #4542, #4491, #4477, #4469.

Root cause (likely)

In the PR & issue quality step, crux health check --cleanup-labels tries to remove the pr-patrol:working label from old PRs and gets:

WARN  #4880 — failed to remove label: GitHub API DELETE
/repos/quantified-uncertainty/longterm-wiki/issues/4880/labels/pr-patrol%3Aworking
returned 403: {"message":"Resource not accessible by integration", ...}

#4880 etc. are PRs. The workflow's permissions block currently grants:

permissions:
  issues: write
  actions: read
  pull-requests: read

GitHub's labels endpoint shares the /issues/{n}/labels/ path for both issues and PRs, but the GitHub Actions integration enforces pull-requests: write for label mutations on PRs. With pull-requests: read, the call returns 403 → the check exits 1 → the workflow fails → a new wellness ticket is filed.

Proposed fix

Change line 42 of .github/workflows/ci-pr-health.yml:

   permissions:
     issues: write
     actions: read
-    pull-requests: read
+    pull-requests: write

Why I'm filing instead of patching

The maintenance bot tried to push this fix and was rejected:

! [remote rejected] ... (refusing to allow a GitHub App to create or update
  workflow `.github/workflows/ci-pr-health.yml` without `workflows` permission)

The Claude Code GitHub App token lacks workflows scope, so a human (or a workflow with the right token) needs to apply this 1-line change. Same blocker would apply to any agent-authored workflow patch — worth noting for future maintenance sweeps.

Verification after the fix

Next scheduled run of ci-pr-health.yml (8:10 UTC twice daily). The WARN lines should disappear and the workflow should pass green. If still 403, the actual problem may be in the GitHub App's installation permissions rather than the workflow permissions block — escalate by checking the repo's GitHub Actions token permissions in repo settings.

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions