fix: handle non-user actors (e.g. Copilot) in permission and actor checks#1144
Open
krislavten wants to merge 1 commit intoanthropics:mainfrom
Open
fix: handle non-user actors (e.g. Copilot) in permission and actor checks#1144krislavten wants to merge 1 commit intoanthropics:mainfrom
krislavten wants to merge 1 commit intoanthropics:mainfrom
Conversation
…ecks GitHub Apps like Copilot SWE Agent set GITHUB_ACTOR to a value (e.g. "Copilot") that is neither a valid GitHub user nor ends with "[bot]". This caused two independent crashes: 1. checkWritePermissions (permissions.ts): called the collaborator permission API which returns 404 "is not a user" for non-user actors. 2. checkHumanActor (actor.ts): called the Users API first, which 404s, before ever reaching the allowed_bots check. Fix both by: - Checking allowed_bots BEFORE making API calls, so known bots skip the API entirely. - In permissions.ts, catching "is not a user" 404 errors and falling back to the allowed_bots list instead of crashing. - In actor.ts, catching 404 errors and providing a clear error message telling the user to add the bot to allowed_bots. Closes anthropics#900, anthropics#903, anthropics#1018, anthropics#1133 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
GitHub Apps like Copilot SWE Agent set
GITHUB_ACTORto a value (e.g."Copilot") that is neither a valid GitHub user nor ends with[bot]. This causes two independent crashes in the action:checkWritePermissions(permissions.ts): calls the collaborator permission API → 404"Copilot is not a user"checkHumanActor(actor.ts): callsoctokit.users.getByUsername()→ 404 before reaching theallowed_botscheckRoot Cause
Both functions assume the actor is either a real GitHub user or a
[bot]-suffixed app. Some GitHub Apps (Copilot, and potentially future ones) use a plain name asGITHUB_ACTORthat doesn't match either pattern.Fix
permissions.ts:allowed_botsbefore calling the collaborator API, so known bots skip the API entirely"is not a user"404 errors and fall back toallowed_botscheck instead of crashingactor.ts:allowed_botscheck before theoctokit.users.getByUsername()callallowed_botsTests
Added 11 new test cases covering:
[bot]actor inallowed_botslist (both pre-API and 404 fallback paths)*for non-[bot]actors[bot]actor NOT inallowed_bots(returnsfalse/ clear error message)All 664 existing tests continue to pass.
Closes
checkHumanActorfails with 404 before checkingallowed_botscheckWritePermissionsfails with 404 for non-user actors likeCopilot#1018 —checkWritePermissionsfails with 404 for non-user actorsallowed_botsbypasses actor check but not permission checkRelated
permissions.tsbut notactor.ts)🤖 Generated with Claude Code