ci: tolerate restricted GITHUB_TOKEN in tool authoring guidance

cameroncooke · cameroncooke · commit bfcff145193e · 2026-04-26T20:39:30.000+01:00
When org policy caps GITHUB_TOKEN to read-only, posting a PR comment
returns 403 and fails the check. Fall back to writing the reminder to
the job summary so the check passes and contributors still see the
guidance in the run output.
diff --git a/.github/workflows/tool-authoring-guidance.yml b/.github/workflows/tool-authoring-guidance.yml
@@ -93,19 +93,40 @@ jobs:
               .map((line) => line.trimStart())
               .join('\n');
 
-            if (existingComment) {
-              await github.rest.issues.updateComment({
-                owner,
-                repo,
-                comment_id: existingComment.id,
-                body: normalizedBody,
-              });
-              return;
+            async function writeJobSummary(reason) {
+              const summaryPath = process.env.GITHUB_STEP_SUMMARY;
+              if (!summaryPath) return;
+              const fs = require('fs');
+              const note = reason
+                ? `> Could not post PR comment (${reason}). Showing reminder here instead.\n\n`
+                : '';
+              fs.appendFileSync(summaryPath, `${note}${normalizedBody}\n`);
             }
 
-            await github.rest.issues.createComment({
-              owner,
-              repo,
-              issue_number: pull_number,
-              body: normalizedBody,
-            });
+            try {
+              if (existingComment) {
+                await github.rest.issues.updateComment({
+                  owner,
+                  repo,
+                  comment_id: existingComment.id,
+                  body: normalizedBody,
+                });
+              } else {
+                await github.rest.issues.createComment({
+                  owner,
+                  repo,
+                  issue_number: pull_number,
+                  body: normalizedBody,
+                });
+              }
+              await writeJobSummary(null);
+            } catch (error) {
+              if (error.status === 403) {
+                core.warning(
+                  'GITHUB_TOKEN lacks issues:write permission; posting reminder to the job summary instead of a PR comment.',
+                );
+                await writeJobSummary('token lacks issues:write');
+                return;
+              }
+              throw error;
+            }
