Fix /review trigger: gate JSON parse + reaction permission scope

trask · trask · commit cfd4ce95b29d · 2026-05-10T18:44:36.000-07:00
Two independent bugs prevented the PR review workflow from running on /review comments:

1. gate.py used gh_json() to fetch the commenter's permission level, but
   'gh api ... -q .permission' returns a bare token (e.g. 'admin'), not
   JSON. json.loads() raised JSONDecodeError, which was swallowed by the
   broad except and treated as 'no write access'. Every commenter,
   including admins, was rejected. Switched to gh() and compare the raw
   stdout instead.

2. The dispatch job declared 'issues: write' + 'pull-requests: read', but
   POSTing a reaction to a PR-issue comment requires 'pull-requests:
   write' on the GITHUB_TOKEN (the URL is /issues/comments/.../reactions,
   but the resource is a PR comment). The 'React eyes' step returned
   HTTP 403 'Resource not accessible by integration'. Swapped the
   scopes.
diff --git a/.github/scripts/pr-review/gate.py b/.github/scripts/pr-review/gate.py
@@ -20,7 +20,7 @@
 import sys
 from pathlib import Path
 
-from common import gh_json, progress
+from common import gh, gh_json, progress
 
 
 REVIEW_RE = re.compile(r"^/review(?:\s+(\S+))?\s*$")
@@ -72,13 +72,15 @@ def commenter_has_write_access(repo: str, login: str) -> bool:
     # on transient gh/API failures, which is the safer default for a gate
     # that controls whether the reviewer agent runs.
     try:
-        result = gh_json(
+        # `gh api ... -q .permission` returns a bare string (e.g. "admin"),
+        # not JSON, so we use `gh` directly and read stdout rather than
+        # `gh_json` (which would JSONDecodeError on the bare token).
+        result = gh(
             ["api", f"repos/{repo}/collaborators/{login}/permission", "-q", ".permission"],
         )
     except Exception:
         return False
-    # gh_json returns parsed JSON; with -q the output is a bare string.
-    return result in {"admin", "write"}
+    return result.stdout.strip() in {"admin", "write"}
 
 
 class SkipRun(Exception):
diff --git a/.github/workflows/pr-review.lock.yml b/.github/workflows/pr-review.lock.yml
diff --git a/.github/workflows/pr-review.md b/.github/workflows/pr-review.md
@@ -71,8 +71,8 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      pull-requests: read
-      issues: write  # for reactions on the triggering comment
+      pull-requests: write  # for reactions on the triggering PR comment
+      issues: read
     outputs:
       should_run: ${{ steps.gate.outputs.should_run }}
       pr_number: ${{ steps.gate.outputs.pr_number }}
