Fix activation permissions for pull request reactions (#26720)

Copilot · web-flow · commit 61f3663d35c8 · 2026-04-16T13:34:52.000-07:00
diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml
diff --git a/pkg/workflow/activation_permissions_scope_test.go b/pkg/workflow/activation_permissions_scope_test.go
@@ -78,6 +78,37 @@ engine: copilot
 	assert.NotContains(t, activationJobSection, "discussions: write", "activation job should not include discussions: write for PR review comment reactions")
 }
 
+func TestActivationPermissionsPullRequestReactionRequiresPullRequestsWrite(t *testing.T) {
+	tmpDir := testutil.TempDir(t, "activation-perms-pull-request-reaction")
+	testFile := filepath.Join(tmpDir, "pull-request-reaction.md")
+	testContent := `---
+on:
+  reaction: eyes
+  status-comment: false
+  pull_request:
+    types: [opened]
+engine: copilot
+---
+
+# Pull request reaction permissions
+`
+
+	err := os.WriteFile(testFile, []byte(testContent), 0644)
+	require.NoError(t, err, "failed to write test workflow")
+
+	compiler := NewCompiler()
+	err = compiler.CompileWorkflow(testFile)
+	require.NoError(t, err, "failed to compile workflow")
+
+	lockContent, err := os.ReadFile(stringutil.MarkdownToLockFile(testFile))
+	require.NoError(t, err, "failed to read generated lock file")
+
+	activationJobSection := extractJobSection(string(lockContent), string(constants.ActivationJobName))
+	assert.Contains(t, activationJobSection, "issues: write", "activation job should include issues: write for pull_request reactions")
+	assert.Contains(t, activationJobSection, "pull-requests: write", "activation job should include pull-requests: write for pull_request reactions")
+	assert.NotContains(t, activationJobSection, "discussions: write", "activation job should not include discussions: write for pull_request reactions")
+}
+
 func TestActivationPermissionsReactionPullRequestsDisabled(t *testing.T) {
 	tmpDir := testutil.TempDir(t, "activation-perms-reaction-pr-disabled")
 	testFile := filepath.Join(tmpDir, "reaction-pr-disabled.md")
diff --git a/pkg/workflow/compiler_activation_job.go b/pkg/workflow/compiler_activation_job.go
@@ -744,17 +744,15 @@ func addActivationInteractionPermissionsMap(
 	hasDiscussionCommentEvent := eventSet["discussion_comment"]
 
 	if hasReaction {
-		// Reactions on issues, issue comments, and pull requests all use issues endpoints.
-		// Both issue and pull request reactions require issues:write because PR reactions
-		// are created via /issues/{number}/reactions.
+		// Reactions on issues, issue comments, and pull requests use issues endpoints.
 		needsIssuesWriteForIssueEvents := reactionIncludesIssues && (hasIssuesEvent || hasIssueCommentEvent)
 		needsIssuesWriteForPullRequestEvents := reactionIncludesPullRequests && hasPullRequestEvent
 		needsIssuesWriteForReaction := needsIssuesWriteForIssueEvents || needsIssuesWriteForPullRequestEvents
 		if needsIssuesWriteForReaction {
 			permsMap[PermissionIssues] = PermissionWrite
 		}
-		// Reactions on PR review comments use pull request review comment endpoints.
-		if reactionIncludesPullRequests && hasPullRequestReviewCommentEvent {
+		// Reactions on pull requests and PR review comments require pull-requests:write.
+		if reactionIncludesPullRequests && (hasPullRequestEvent || hasPullRequestReviewCommentEvent) {
 			permsMap[PermissionPullRequests] = PermissionWrite
 		}
 		// Reactions on discussions use GraphQL discussion APIs.
