fix: address review feedback - assert warning in test and improve guidance in warning message

fix: skip CI MCP server installation when actions:read permission is missing
2026-02-11 19:03:11 +00:00 · 2026-02-11 18:54:39 +00:00
2 changed files with 56 additions and 17 deletions
--- a/src/mcp/install-mcp-server.ts
+++ b/src/mcp/install-mcp-server.ts
@ -177,25 +177,28 @@ export async function prepareMcpConfig(
      if (!actuallyHasPermission) {
        core.warning(
          "The github_ci MCP server requires 'actions: read' permission. " +
-            "Please ensure your GitHub token has this permission. " +
-            "See: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token",
+            "Skipping CI server installation. " +
+            "To enable CI status checks, add 'actions: read' to your workflow permissions " +
+            "and set 'additional_permissions: actions: read' in the action's with: inputs. " +
+            "See: https://github.com/anthropics/claude-code-action/blob/main/docs/configuration.md#additional-permissions-for-cicd-integration",
        );
+      } else {
+        baseMcpConfig.mcpServers.github_ci = {
+          command: "bun",
+          args: [
+            "run",
+            `${process.env.GITHUB_ACTION_PATH}/src/mcp/github-actions-server.ts`,
+          ],
+          env: {
+            // Use workflow github token, not app token
+            GITHUB_TOKEN: process.env.DEFAULT_WORKFLOW_TOKEN,
+            REPO_OWNER: owner,
+            REPO_NAME: repo,
+            PR_NUMBER: context.entityNumber?.toString() || "",
+            RUNNER_TEMP: process.env.RUNNER_TEMP || "/tmp",
+          },
+        };
      }
-      baseMcpConfig.mcpServers.github_ci = {
-        command: "bun",
-        args: [
-          "run",
-          `${process.env.GITHUB_ACTION_PATH}/src/mcp/github-actions-server.ts`,
-        ],
-        env: {
-          // Use workflow github token, not app token
-          GITHUB_TOKEN: process.env.DEFAULT_WORKFLOW_TOKEN,
-          REPO_OWNER: owner,
-          REPO_NAME: repo,
-          PR_NUMBER: context.entityNumber?.toString() || "",
-          RUNNER_TEMP: process.env.RUNNER_TEMP || "/tmp",
-        },
-      };
    }

    if (hasGitHubMcpTools) {
--- a/test/install-mcp-server.test.ts
+++ b/test/install-mcp-server.test.ts
@ -9,6 +9,7 @@ describe("prepareMcpConfig", () => {
  let consoleWarningSpy: any;
  let setFailedSpy: any;
  let processExitSpy: any;
+  let fetchSpy: any;

  // Create a mock context for tests
  const mockContext: ParsedGitHubContext = {
@ -66,6 +67,10 @@ describe("prepareMcpConfig", () => {
    processExitSpy = spyOn(process, "exit").mockImplementation(() => {
      throw new Error("Process exit");
    });
+    // Mock fetch so checkActionsReadPermission succeeds (returns 200 for actions API)
+    fetchSpy = spyOn(global, "fetch").mockResolvedValue(
+      new Response(JSON.stringify({ workflow_runs: [] }), { status: 200 }),
+    );

    // Set up required environment variables
    if (!process.env.GITHUB_ACTION_PATH) {
@ -78,6 +83,7 @@ describe("prepareMcpConfig", () => {
    consoleWarningSpy.mockRestore();
    setFailedSpy.mockRestore();
    processExitSpy.mockRestore();
+    fetchSpy.mockRestore();
  });

  test("should return comment server when commit signing is disabled", async () => {
@ -263,6 +269,36 @@ describe("prepareMcpConfig", () => {
    expect(parsed.mcpServers.github_ci).not.toBeDefined();
  });

+  test("should not include github_ci server when actions:read permission is missing", async () => {
+    process.env.DEFAULT_WORKFLOW_TOKEN = "workflow-token";
+    // Simulate 403 from actions API
+    fetchSpy.mockResolvedValue(
+      new Response(
+        JSON.stringify({ message: "Resource not accessible by integration" }),
+        { status: 403 },
+      ),
+    );
+
+    const result = await prepareMcpConfig({
+      githubToken: "test-token",
+      owner: "test-owner",
+      repo: "test-repo",
+      branch: "test-branch",
+      baseBranch: "main",
+      allowedTools: [],
+      mode: "tag",
+      context: mockPRContext,
+    });
+
+    const parsed = JSON.parse(result);
+    expect(parsed.mcpServers.github_ci).not.toBeDefined();
+    expect(consoleWarningSpy).toHaveBeenCalledWith(
+      expect.stringContaining("Skipping CI server installation"),
+    );
+
+    delete process.env.DEFAULT_WORKFLOW_TOKEN;
+  });
+
  test("should not include github_ci server when DEFAULT_WORKFLOW_TOKEN is missing", async () => {
    delete process.env.DEFAULT_WORKFLOW_TOKEN;
Author	SHA1	Message	Date
Octavian Guzu	66d04425ea	fix: address review feedback - assert warning in test and improve guidance in warning message	2026-02-11 19:03:11 +00:00
Octavian Guzu	a3fea12aea	fix: skip CI MCP server installation when actions:read permission is missing	2026-02-11 18:54:39 +00:00