From 529716dcadb6b4873f1dac6ea02cb60acb064b6a Mon Sep 17 00:00:00 2001
From: Yuku Kotani <yukukotani@gmail.com>
Date: Tue, 3 Jun 2025 23:39:27 +0900
Subject: [PATCH] feat: skip permission check for GitHub App bot users
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GitHub Apps (users ending with [bot]) now bypass permission checks
as they have their own authorization mechanism.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 src/github/validation/permissions.ts |  6 ++++++
 test/permissions.test.ts             | 10 ++++++++++
 2 files changed, 16 insertions(+)

diff --git a/src/github/validation/permissions.ts b/src/github/validation/permissions.ts
index d34e396..e571e3a 100644
--- a/src/github/validation/permissions.ts
+++ b/src/github/validation/permissions.ts
@@ -17,6 +17,12 @@ export async function checkWritePermissions(
   try {
     core.info(`Checking permissions for actor: ${actor}`);
 
+    // Check if the actor is a GitHub App (bot user)
+    if (actor.endsWith("[bot]")) {
+      core.info(`Actor is a GitHub App: ${actor}`);
+      return true;
+    }
+
     // Check permissions directly using the permission endpoint
     const response = await octokit.repos.getCollaboratorPermissionLevel({
       owner: repository.owner,
diff --git a/test/permissions.test.ts b/test/permissions.test.ts
index 7471acb..c21c654 100644
--- a/test/permissions.test.ts
+++ b/test/permissions.test.ts
@@ -124,6 +124,16 @@ describe("checkWritePermissions", () => {
     );
   });
 
+  test("should return true for bot user", async () => {
+    const mockOctokit = createMockOctokit("none");
+    const context = createContext();
+    context.actor = "test-bot[bot]";
+
+    const result = await checkWritePermissions(mockOctokit, context);
+
+    expect(result).toBe(true);
+  });
+
   test("should throw error when permission check fails", async () => {
     const error = new Error("API error");
     const mockOctokit = {