The Issue

Last week I noticed that the staging URL that is normally output as a comment was missing from new GitHub PRs. Previously, this URL was added automatically by the Azure/static-web-apps-deploy GitHub Action for PRs in our Hugo based websites.

PR Comment

After a bit of digging, I noticed a warning message in the logs of the Action that said:


Done Zipping App Artifacts
Uploading build artifacts.
Finished Upload. Polling on deployment.
Status: InProgress. Time: 0.178533(s)
Status: Succeeded. Time: 15.3731517(s)
Deployment Complete :)
Visit your site at: https://white-glacier-0d2380f03-300.westeurope.2.azurestaticapps.net Unexectedly failed to add GitHub comment.
Thanks for using Azure Static Web Apps!
Exiting

The Solution

Initially I thought the problem might be a change in functionality of the Azure/static-web-apps-deploy action. However, it turns out it has not altered since May 2021.

So next I tried to add my own PR comment using the actions/github-script action

- uses: actions/github-script@v6
  if: github.event_name == 'pull_request'
  with:
    script: |
      github.rest.issues.createComment({
        issue_number: context.issue.number,
        owner: context.repo.owner,
        repo: context.repo.repo,
        body: 'Azure Static Web Apps: Your staging site is ready at: ${{ steps.builddeploy.outputs.static_web_app_url }}'
      })      

This failed with a 403 error, so I realised my problem was missing permissions. So added a permissions block to the job

jobs:
  build_and_deploy_job:
    if: github.event_name == 'schedule' || github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action != 'closed')
    runs-on: ubuntu-latest
    permissions:
      contents: read   # This is required read the repo
      pull-requests: write  # This is required to comment on the PR
    ...

Note: As soon as you set any permissions you have to set all the ones you need, as setting a permission removes the defaults. So in this case, if you just set the pull-requests: write permission but not the contents: read permission, the workflow would not be able to clone the repo

This worked, but then it occured to me, was the original error just permissions related?

So I removed the actions/github-script action but left the permissions block and as I hoped the staging URL appeared in the PR comment.

So my assumption is that default permissions have recently changed. It just shows it is always a good idea to be explicit with permissions in your GitHub Actions workflows.