fix: add_comment silently skips when integration token can't write to discussions

[Copilot]

When add_comment targets a GitHub Discussion and the runner's GITHUB_TOKEN lacks discussions:write, the GraphQL mutation returns "Resource not accessible by integration". Previously this returned {success: false} — a hard failure that failed the entire safe-outputs job. It should be a skippable configuration mismatch, the same way resolve_pr_review_thread handles the identical error.

Changes

• add_comment.cjs: Add isDiscussionIntegrationAccessError() that checks both the top-level error message and GraphQL errors[] array. In the discussion retry catch block, return {success: false, skipped: true} with a core.warning pointing to safe-outputs.add-comment.github-token rather than propagating a fatal failure.
• add_comment.test.cjs: Two new tests — one for mutation error string, one for the GraphQL errors[] array variant.
• safe_outputs_handlers.cjs: addCommentHandler now refuses calls that include reply_to_id (a discussion-only threading field) when discussions: true is not set in the safe-outputs.add-comment configuration. This gives the agent immediate, actionable feedback at MCP time before anything is written to NDJSON, rather than a late execution-phase failure.
• safe_outputs_handlers.test.cjs: Two new tests covering the MCP-phase refusal (no discussions: true + reply_to_id → error with guidance) and the allowed path (discussions: true + reply_to_id → success).

// Before: hard failure at execution time
core.error(`Failed to add comment to discussion: ${discussionErrorMessage}`);
return { success: false, error: discussionErrorMessage };

// After (execution phase): skipped with actionable warning
core.warning(`...configuration mismatch...Use safe-outputs.add-comment.github-token with discussions:write scope.`);
return { success: false, skipped: true, error: warningMessage };

// After (MCP phase): immediate refusal when reply_to_id targets a discussion
return buildIntentErrorResponse(
  "add_comment with reply_to_id targets a GitHub Discussion, but discussion comments are not enabled..."
);

[pelikhan]

@copilot the safeoutputs MCP handler should refuse add comment to discussions when discussions are not enabled.

[Copilot]

⚠️ Not ready to approve

It introduces a misleading sync/source-of-truth comment in actions/setup-cli/install.sh that contradicts the documented generation flow and should be corrected before merge.

Pull request overview

This PR adjusts the add_comment safe-output handler to treat a missing discussions:write permission (manifesting as “Resource not accessible by integration” from the Discussion GraphQL mutation) as a skippable configuration mismatch rather than a hard failure, aligning behavior with other handlers that skip on integration permission mismatches.

Changes:

• Add isDiscussionIntegrationAccessError() to detect the integration access error via either the top-level error message or errors[] entries.
• In the discussion fallback/retry path, emit an actionable core.warning and return { success: false, skipped: true } instead of failing the safe-outputs job.
• Add tests covering both error-string and GraphQL errors[] variants of the integration access error.

File summaries

File	Description
actions/setup/js/add_comment.cjs	Detects “Resource not accessible by integration” for discussion comment attempts and returns a skipped result with a configuration warning.
actions/setup/js/add_comment.test.cjs	Adds regression tests ensuring the discussion integration access error is treated as skipped (not fatal).
actions/setup-cli/install.sh	Updates the header sync comment (currently appears to be self-referential/misleading).

Copilot's findings

• Files reviewed: 3/3 changed files
• Comments generated: 1

Note

Your feedback helps us improve the quality of this feature.
Please use 👍 or 👎 to tell us whether this assessment is correct.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

@copilot the safeoutputs MCP handler should refuse add comment to discussions when discussions are not enabled.

Done. The addCommentHandler in safe_outputs_handlers.cjs now checks the discussions config flag when reply_to_id is present (the only unambiguously discussion-specific field available at MCP time). If discussions: true is not set in safe-outputs.add-comment, the handler immediately returns an actionable error:

"add_comment with reply_to_id targets a GitHub Discussion, but discussion comments are not enabled for this workflow. Set 'discussions: true' in the workflow's safe-outputs.add-comment configuration to enable discussion comments and request discussions:write permission."

This prevents the entry from being written to NDJSON at all, so no silent skip or late execution failure occurs. Two new tests cover the refusal and the allowed path (commit fix: refuse add_comment with reply_to_id when discussions not enabled in MCP handler).

[pelikhan]

@copilot run pr-finisher skill

[Copilot]

@copilot run pr-finisher skill

Done in 74c7169. Fixed the self-referential sync comment by updating install-gh-aw.sh (the source) to use the explicit filename: # Kept in sync with actions/setup-cli/install.sh — edit install-gh-aw.sh, then copy to that path. This reads correctly in both the source and the generated copy. make sync-action-scripts propagated the change to actions/setup-cli/install.sh.