Handle resolve_pull_request_review_thread integration-token 403 as actionable soft-skip

[Copilot]

resolve_pull_request_review_thread was hard-failing safe outputs when GitHub GraphQL returned Resource not accessible by integration (seen in Smoke Claude) despite configured PR write permissions. This change downgrades that specific, known token/actor limitation to a non-fatal skip while preserving hard failures for unexpected errors.

• Handler behavior: targeted degradation only

  • Updated actions/setup/js/resolve_pr_review_thread.cjs to detect GraphQL integration-access errors (Resource not accessible by integration).
  • For this case only, returns a handler-level skip with an explicit configuration mismatch message and guidance to set safe-outputs.resolve-pull-request-review-thread.github-token.
  • All other GraphQL/API failures continue to fail normally.

• User-facing signal quality

  • The skip message is explicit and actionable, so the mismatch is visible in safe-output logs/summaries instead of failing the whole job without remediation context.

• Test coverage

  • Extended actions/setup/js/resolve_pr_review_thread.test.cjs with a dedicated case asserting soft-skip behavior for the integration-access error path.

• Documentation updates

  • Updated pull-request safe-output docs and safe-outputs spec docs to document this GitHub integration-token limitation and recommended token configuration for reliable thread resolution.

if (isIntegrationAccessError(error)) {
  return {
    success: false,
    skipped: true,
    error:
      "Skipping resolve_pull_request_review_thread ... configuration mismatch " +
      "(Resource not accessible by integration). " +
      "Use safe-outputs.resolve-pull-request-review-thread.github-token ...",
  };
}

[Copilot]

Pull request overview

Downgrades a specific GitHub GraphQL error (Resource not accessible by integration) from a hard failure to a soft-skip (with explicit, actionable warning) in the resolve_pull_request_review_thread safe-output handler, so that integration-token limitations no longer fail the entire safe-outputs job.

Changes:

• Added isIntegrationAccessError helper and wrapped the resolveReviewThreadAPI call in a try/catch that returns { success: false, skipped: true, error: <warning> } (and logs core.warning) for that specific error, re-throwing all others.
• Added a Jest test asserting the soft-skip behavior, message contents, and skipped: true.
• Documented the integration-token limitation and the safe-outputs.resolve-pull-request-review-thread.github-token remediation in both safe-output reference docs.

Show a summary per file

File	Description
actions/setup/js/resolve_pr_review_thread.cjs	Adds isIntegrationAccessError detector and soft-skip handling around the resolve mutation.
actions/setup/js/resolve_pr_review_thread.test.cjs	New test case covering the integration-access soft-skip path.
docs/src/content/docs/reference/safe-outputs-pull-requests.md	Adds note about the integration-token limitation and recommended token configuration.
docs/src/content/docs/reference/safe-outputs-specification.md	Notes the soft-skip behavior and token recommendation in the spec.
.github/workflows/smoke-otel-backends.lock.yml	Changes the Datadog MCP DD_APPLICATION_KEY HTTP header value to source from ${DD_APP_KEY}; appears unrelated to the PR purpose.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 5/5 changed files
• Comments generated: 1