@@ -142,20 +142,33 @@ jobs:
142142 name : pr-triage-work-gradle
143143 path : ${{ runner.temp }}/gradle-in
144144
145- - name : Run copilot-phase worker
145+ - name : Run copilot-phase worker (review)
146+ if : needs.authorize-command.outputs.command == 'review'
146147 env :
148+ # GITHUB_TOKEN is also set so Copilot CLI's `gh` subprocesses use the
149+ # read-only job token rather than falling back to the privileged
150+ # COPILOT_GITHUB_TOKEN. Copilot CLI scrubs both names from the
151+ # environment of the children it spawns.
147152 GH_TOKEN : ${{ github.token }}
148153 COPILOT_GITHUB_TOKEN : ${{ secrets.COPILOT_GITHUB_TOKEN }}
149154 PR_TRIAGE_REPO_ROOT : ${{ github.workspace }}
150155 run : |
151156 mkdir -p "$RUNNER_TEMP/work"
152157 touch "$RUNNER_TEMP/work/.placeholder"
153- IN_DIR_ARG=""
154- if [[ "${{ needs.authorize-command.outputs.command }}" == "fix" ]]; then
155- IN_DIR_ARG="--in-dir $RUNNER_TEMP/gradle-in"
156- fi
157- # shellcheck disable=SC2086
158- python3 "$RUNNER_TEMP/pr-triage-trusted/worker_copilot.py" --out-dir "$RUNNER_TEMP/work" $IN_DIR_ARG
158+ python3 "$RUNNER_TEMP/pr-triage-trusted/worker_copilot.py" --out-dir "$RUNNER_TEMP/work"
159+
160+ - name : Run copilot-phase worker (fix)
161+ if : needs.authorize-command.outputs.command == 'fix'
162+ env :
163+ GH_TOKEN : ${{ github.token }}
164+ COPILOT_GITHUB_TOKEN : ${{ secrets.COPILOT_GITHUB_TOKEN }}
165+ PR_TRIAGE_REPO_ROOT : ${{ github.workspace }}
166+ run : |
167+ mkdir -p "$RUNNER_TEMP/work"
168+ touch "$RUNNER_TEMP/work/.placeholder"
169+ python3 "$RUNNER_TEMP/pr-triage-trusted/worker_copilot.py" \
170+ --out-dir "$RUNNER_TEMP/work" \
171+ --in-dir "$RUNNER_TEMP/gradle-in"
159172
160173 - name : Upload copilot work bundle
161174 if : always()
@@ -180,6 +193,7 @@ jobs:
180193 permissions :
181194 contents : read
182195 pull-requests : write
196+ actions : write
183197 env :
184198 PR_NUMBER : ${{ github.event.issue.number }}
185199 steps :
@@ -220,4 +234,3 @@ jobs:
220234 GH_TOKEN : ${{ steps.otelbot-token.outputs.token }}
221235 PR_TRIAGE_REPO_ROOT : ${{ github.workspace }}
222236 run : python3 "$RUNNER_TEMP/pr-triage-trusted/poster.py" --in-dir "$RUNNER_TEMP/work"
223-
0 commit comments