From 3bbf3b31dda983239599531dd850f224faa7706b Mon Sep 17 00:00:00 2001 From: "Deavon M. McCaffery" Date: Mon, 29 Jun 2026 22:47:23 +0100 Subject: [PATCH] fix(merge): grant statuses:read for the legacy commit-status rollup ff-merge's getChecks reads the head commit's status rollup from BOTH the Checks API (checks.listForRef) and the legacy commit-status API (repos.listCommitStatusesForRef). The earlier fix granted checks:read but not statuses:read, so once a token finally minted, gating 403'd on GET /commits/{ref}/statuses ("Resource not accessible by integration"). Add permission-statuses: read alongside permission-checks: read in every ff-merge token mint (all five jobs in merge.yaml plus dependabot-merge.yaml) and update the scope comments. The self-* callers inherit this via uses:. Requires the BitWise Fast-Forward Merge App to also be granted Commit statuses: Read-only, with the org installation approving the new scope. Signed-off-by: Deavon M. McCaffery --- .github/workflows/dependabot-merge.yaml | 8 ++++--- .github/workflows/merge.yaml | 32 +++++++++++++++---------- 2 files changed, 25 insertions(+), 15 deletions(-) diff --git a/.github/workflows/dependabot-merge.yaml b/.github/workflows/dependabot-merge.yaml index 4f9712f..3fe6efa 100644 --- a/.github/workflows/dependabot-merge.yaml +++ b/.github/workflows/dependabot-merge.yaml @@ -85,13 +85,15 @@ jobs: private-key: ${{ secrets.app-private-key }} # ff-merge moves the ref (contents) and reads/approves the PR (pull-requests), # needs workflows to move a ref whose commits touch .github/workflows/ files, - # and reads the head commit's check-run rollup (checks); the approval - # (minor/patch only) is the authorization gate, not maintainer-only, so no - # administration scope is needed. + # and reads the head commit's status rollup — Checks-API check runs (checks) + # plus legacy commit statuses (statuses); the approval (minor/patch only) is + # the authorization gate, not maintainer-only, so no administration scope is + # needed. permission-contents: write permission-pull-requests: write permission-workflows: write permission-checks: read + permission-statuses: read - name: Resolve the Dependabot PR and assess the update policy id: assess diff --git a/.github/workflows/merge.yaml b/.github/workflows/merge.yaml index adfc279..b496c92 100644 --- a/.github/workflows/merge.yaml +++ b/.github/workflows/merge.yaml @@ -122,13 +122,15 @@ jobs: # PR's linked issues (issues), moves a ref whose commits touch # .github/workflows/ files (workflows — GitHub rejects any ref update that # adds or edits a workflow file without it), and reads the head commit's - # check-run rollup to confirm every required check is green (checks). + # status rollup to confirm every required check is green — Checks-API check + # runs (checks) plus legacy commit statuses (statuses). permission-contents: write permission-pull-requests: write permission-administration: read permission-workflows: write permission-issues: write permission-checks: read + permission-statuses: read - name: Fast-forward merge uses: bitwise-media-group/ff-merge@261714459a53c43ba032fe0e3a3e6f3ab8fd14de # v1.2.0 @@ -168,13 +170,15 @@ jobs: # Labels and comments on the PR (pull-requests), closes the PR's linked # issues (issues), and moves the ref via the best-effort ff-merge (contents), # which also needs workflows when the merge touches .github/workflows/ files - # and checks to read the head commit's check-run rollup; maintainer-only:false - # here, so no administration scope is needed. + # and checks + statuses to read the head commit's status rollup (Checks-API + # check runs plus legacy commit statuses); maintainer-only:false here, so no + # administration scope is needed. permission-contents: write permission-pull-requests: write permission-workflows: write permission-issues: write permission-checks: read + permission-statuses: read - name: Ensure the auto-merge label is present env: @@ -245,15 +249,16 @@ jobs: client-id: ${{ inputs.app-client-id }} private-key: ${{ secrets.app-private-key }} # ff-merge moves the ref (contents), reads the PR (pull-requests), closes the - # PR's linked issues (issues), reads the head commit's check-run rollup - # (checks), and needs workflows to move a ref whose commits touch - # .github/workflows/ files; maintainer-only:false here, so no administration - # scope is needed. + # PR's linked issues (issues), reads the head commit's status rollup — Checks-API + # check runs (checks) plus legacy commit statuses (statuses) — and needs workflows + # to move a ref whose commits touch .github/workflows/ files; maintainer-only:false + # here, so no administration scope is needed. permission-contents: write permission-pull-requests: write permission-workflows: write permission-issues: write permission-checks: read + permission-statuses: read - name: Resolve the open PR for this branch id: pr @@ -317,15 +322,16 @@ jobs: client-id: ${{ inputs.app-client-id }} private-key: ${{ secrets.app-private-key }} # ff-merge moves the ref (contents), reads the PR (pull-requests), closes the - # PR's linked issues (issues), reads the head commit's check-run rollup - # (checks), and needs workflows to move a ref whose commits touch - # .github/workflows/ files; maintainer-only:false here, so no administration - # scope is needed. + # PR's linked issues (issues), reads the head commit's status rollup — Checks-API + # check runs (checks) plus legacy commit statuses (statuses) — and needs workflows + # to move a ref whose commits touch .github/workflows/ files; maintainer-only:false + # here, so no administration scope is needed. permission-contents: write permission-pull-requests: write permission-workflows: write permission-issues: write permission-checks: read + permission-statuses: read - name: Resolve the open PR for this branch id: pr @@ -425,12 +431,14 @@ jobs: private-key: ${{ secrets.app-private-key }} # ff-merge closes the PR's linked issues (issues) on a successful sweep merge, # alongside the ref move (contents), the workflow-file allowance (workflows), - # and reading the head commit's check-run rollup (checks). + # and reading the head commit's status rollup — Checks-API check runs (checks) + # plus legacy commit statuses (statuses). permission-contents: write permission-pull-requests: write permission-workflows: write permission-issues: write permission-checks: read + permission-statuses: read - name: Fast-forward merge # Best effort: ff-merge declines a PR that is not yet approved/green (expected