Fix PR verification agent: grant contents:write to push verification branches#141
Merged
Merged
Conversation
…branches - Change permissions.contents from 'read' to 'write' so the agent can push verification samples to verification/pr-<N> branches - Remove persist-credentials: false from checkout step so the GITHUB_TOKEN is available for git push - Update security comment to document the new permission
Contributor
There was a problem hiding this comment.
Pull request overview
This PR fixes the PR verification agent workflow so it can push verification sample code to verification/pr-<N> branches. Previously, the workflow had contents: read permission and persist-credentials: false, which prevented git push operations. The fix aligns this workflow's permissions and checkout configuration with the existing daily-code-review.yaml workflow.
Changes:
- Elevated
permissions.contentsfromreadtowriteto allow pushing verification branches - Removed
persist-credentials: falsefrom the checkout step so git retains the token for push operations - Updated the security comment to document the
contents:writepermission and its purpose
sophiatev
approved these changes
Mar 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The PR verification agent workflow cannot push verification sample code to verification/pr- branches because the workflow's GITHUB_TOKEN only has contents: read permission. The agent gracefully handles this (includes the sample in the issue comment instead), but the push-to-branch feature doesn't work.
See failed push in run #22741312125 (line 377: "Push is denied (CI token lacks write access to push branches)").
Root Cause
Two issues in pr-verification.yaml:
permissions.contents is set to read — the token cannot push branches
persist-credentials: false on the checkout step strips the token from git config, so even with write permission, git push would fail
For comparison, the daily code review workflow (daily-code-review.yaml) has contents: write and no persist-credentials: false, which is why that agent can push branches successfully.
Fix
Changed permissions.contents from read to write
Removed persist-credentials: false from the checkout step
Updated the security comment to document the new permission and why it's needed
Security Considerations
The workflow only runs on schedule and workflow_dispatch triggers (never on pull_request), so untrusted PR code cannot access the elevated token. Branch protections prevent direct pushes to main. The agent can only push to verification/pr- branches.