Branch deployment workflow in GitHub encounters 403 errors when trying to read/write comments in PRs

[garethbrickman]

Users can encounter the below permissions errors in their GitHub Actions when the Dagster+ branch deployment workflow attempts to read/write comments in PRs:

github.GithubException.GithubException: 403 {"message": "Resource not accessible by integration", "documentation­_url": "­https://docs.github.com/rest/pulls/pulls#get-a-pull-request", "status": "403"}
Ignoring failure to update PR comment: None

Update PR comment for branch deployments
Run dagster-io/dagster-cloud-action/actions/utils/dagster-cloud-cli@v0.1
Run $GITHUB_ACTION_PATH/../../../generated/gha/dagster-cloud_cli.entrypoint ci notify --project-dir=.
ERROR:root:Ignoring error when updating PR comment
Traceback (most recent call last):
  File "/root/.pex/venvs/60f1e3de0b33b7668ad1f122d3fc825a9db5134f/056935c5e2abad6e48be9133450f333ffdb9ea2d/lib/python3.8/site-packages/dagster_cloud_cli/core/pex_builder/github_context.py", line 95, in update_pr_comment
    pr = repo.pull_request(int(self.pull_request_id))
  File "/root/.pex/venvs/60f1e3de0b33b7668ad1f122d3fc825a9db5134f/056935c5e2abad6e48be9133450f333ffdb9ea2d/lib/python3.8/site-packages/github3/repos/repo.py", line 2420, in pull_request
    json = self._json(self._get(url), 200)
  File "/root/.pex/venvs/60f1e3de0b33b7668ad1f122d3fc825a9db5134f/056935c5e2abad6e48be9133450f333ffdb9ea2d/lib/python3.8/site-packages/github3/models.py", line 161, in _json
    raise exceptions.error_for(response)
github3.exceptions.ForbiddenError: 403 Resource not accessible by integration

[garethbrickman]

These can be due to a permissions issue that the Dagster Cloud GitHub app integration has when it's operating within a repo that has Organization scopes rather than an individual user's repo scope where its default permissions seem to work out-of-the-box.

A solution is to specify the granular permissions within the GitHub Action workflow file:

permissions:
  pull-requests: write
  contents: read