fix(merge): grant statuses:read for the legacy commit-status rollup#27
Conversation
ff-merge's getChecks reads the head commit's status rollup from BOTH the
Checks API (checks.listForRef) and the legacy commit-status API
(repos.listCommitStatusesForRef). The earlier fix granted checks:read but
not statuses:read, so once a token finally minted, gating 403'd on
GET /commits/{ref}/statuses ("Resource not accessible by integration").
Add permission-statuses: read alongside permission-checks: read in every
ff-merge token mint (all five jobs in merge.yaml plus dependabot-merge.yaml)
and update the scope comments. The self-* callers inherit this via uses:.
Requires the BitWise Fast-Forward Merge App to also be granted
Commit statuses: Read-only, with the org installation approving the new scope.
Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
|
Note Merging this PR: this repository merges by fast-forward so every The branch must be up to date with |
|
/auto-merge |
|
Note Auto-merge armed. Once this PR is approved and every required check Remove the |
|
Cannot
|
|
Cannot
|
|
Fast-forwarded |
3bbf3b3
into
bitwise-media-group:main
ff-merge's getChecks reads the head commit's status rollup from BOTH the Checks API (checks.listForRef) and the legacy commit-status API (repos.listCommitStatusesForRef). The earlier fix granted checks:read but not statuses:read, so once a token finally minted, gating 403'd on GET /commits/{ref}/statuses ("Resource not accessible by integration").
Add permission-statuses: read alongside permission-checks: read in every ff-merge token mint (all five jobs in merge.yaml plus dependabot-merge.yaml) and update the scope comments. The self-* callers inherit this via uses:.
Requires the BitWise Fast-Forward Merge App to also be granted Commit statuses: Read-only, with the org installation approving the new scope.