I did a recent post about deploying SWA with Bicep and another on advanced GitHub Actions workflows for SWA but I noticed when doing it that when using PR’s on the repo I was no longer getting the comment added to the PR for where the staging site lives. When it’s working correctly you’ll get a comment like this:

Instead, I’d get an error message in my logs:

Unexectedly failed to add GitHub comment.

This doesn’t give you a lot to go with and find the problem, so I reached out to the SWA engineering team to do some debugging and see if we could get to the bottom of it.

Permissions, permissions, permissions

As I mentioned in the deploying with Bicep post, you’ll need to authenticate against Azure, and I prefer the OIDC Connect approach, and in doing so, you need to configure the permissions of the GITHUB_TOKEN to enable id-token write.

And here’s where the GitHub SWA integration broke.

What I missed in the docs is that these are replacement permissions, not additive permissions, meaning if you set the token permissions in the workflow you only have those permissions.

Don’t worry though, it’s an easy fix, you need to add pull-requests: write permissions to the token and then you’ll be good to go.

Check out this commit in my blog repo to see the changed permissions (I also moved the permissions to be set per job rather than per workflow).

Summary

It’s a good idea to know what permissions are needed in the workflows and at what point they are needed, so you can maintain a policy of minimum trust in your deployments.

For SWA, you need to ensure you have pull-requests: write set on your GITHUB_TOKEN permissions if you’re modifying the permissions and still want the Active to do comments on PRs.