Skip to content

Review agent missed vouch-check missing issues: write permission (caught by qodo) #46

Description

@fullsend-ai-retro

What happened

On PR #32 (#32), the vouch-check workflow calls github.rest.issues.createComment() to post an explanatory comment when closing an unvouched contributor's PR. However, the workflow's permissions block only declares contents: read and pull-requests: write, omitting issues: write. This means the comment step will fail at runtime with a 403 error, leaving closed PRs with no explanation.

The qodo-code-review bot correctly identified this bug as finding #2 ("vouch-check lacks issues: write"), classifying it as a correctness issue. The fullsend-ai-review bot did not identify this finding despite reviewing the same workflow file and even noting other permission issues (unnecessary actions: write in stale.yml, unnecessary contents: read in vouch-check). The fullsend agent evaluated vouch-check permissions and found one expansion (contents: read) but missed the missing permission that would cause a runtime failure.

What could go better

The fullsend review agent's permission analysis was one-directional: it checked for unnecessary permissions (over-privileged) but did not verify that declared permissions satisfy all API calls in the code (under-privileged). The agent flagged contents: read as unused but failed to verify that issues: write was needed for createComment(). This is a consumer-producer analysis gap — the agent checked the permission manifest (producer) in isolation without cross-referencing it against the GitHub API calls (consumers) in the script.

Confidence: Medium. It's possible the review agent did consider this but rated it below threshold, or that the correctness sub-agent deprioritized it. However, the finding is absent from both the structured findings and the summary narrative, suggesting it was genuinely missed rather than filtered.

Proposed change

In the correctness sub-agent's review guidance (skills/pr-review/sub-agents/correctness.md or the code-review skill), add explicit instruction to verify API call permissions bidirectionally:

  1. When reviewing GitHub Actions workflow files that use actions/github-script or direct API calls:

    • Check for over-privilege: Flag declared permissions not required by any API call (existing behavior).
    • Check for under-privilege: For each github.rest.* call in the script, verify the corresponding permission scope is declared. Common mappings: issues.createCommentissues: write, pulls.updatepull-requests: write, repos.getContentcontents: read.
  2. Add this as an anchoring example in the permission review guidance: "A workflow declaring pull-requests: write but calling github.rest.issues.createComment() without issues: write will fail at runtime with HTTP 403."

Validation criteria

  1. Re-run the review agent on PR docs: add CLAUDE.md, COMMITS.md, CONTRIBUTING.md, LICENSE, and repo workflows #32's diff (commit 7e7509f). The review should include a finding about the missing issues: write permission in vouch-check.yml in at least 3 out of 5 trials.
  2. On a test PR with a correctly-permissioned workflow (all API calls covered by declared permissions), the review agent should not produce false-positive permission findings.
  3. The review agent's permission analysis covers both directions: over-privilege (unnecessary permissions) and under-privilege (missing permissions for API calls).

Generated by retro agent from #32

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions