Add schemaCheck:approve to the organization access token ui

[jdolle]

Background

Personal access tokens grant permission to schemaCheck:approve, but this option is not available to organization access tokens.

This permission is used on schema checks with the --forceSafe argument.

Description

Adds the permission.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a functional gap by introducing the schemaCheck:approve permission for organization access tokens. Previously, this critical capability for approving schema checks was only available to personal access tokens. The change ensures that organization tokens can now be configured with the necessary permissions to manage schema checks, thereby enhancing flexibility and consistency in access control for automated processes.

Highlights

• Organization Access Tokens: The schemaCheck:approve permission has been added to the list of available permissions for organization access tokens, aligning their capabilities with personal access tokens.
• Schema Checks: This new permission allows organization access tokens to approve failed schema checks, particularly when using the --forceSafe argument in automated workflows.

Changelog

• .changeset/fast-cities-serve.md
  • Added a new changeset entry documenting the addition of the schemaCheck:approve permission.
• packages/services/api/src/modules/organization/lib/organization-access-token-permissions.ts
  • Introduced the schemaCheck:approve permission definition, including its ID, title, description, and dependency on project:describe.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly adds the schemaCheck:approve permission to the available permissions for organization access tokens. My review includes a comment about adding an integration test to cover this new functionality, as per the repository's style guide.

[gemini-code-assist]

While this correctly adds the schemaCheck:approve permission, this new functionality should be covered by an integration test. Please add a test to verify that a token with this permission can approve a failed schema check, and a token without it cannot. This is required by the repository's style guide for new functionality.

References

1. Adding new functionality to the GraphQL API or another service should come with a set of integration tests within /integration-tests for testing that new component/functionality. ^(link)

[github-actions]

🚀 Snapshot Release (alpha)

The latest changes of this PR are available as alpha on npm (based on the declared changesets):

Package	Version	Info
@graphql-hive/apollo	0.48.0-alpha-20260305100508-68481c1a0f538a007d2c67c59749e22c58fac4a8	npm ↗︎ unpkg ↗︎
@graphql-hive/cli	0.58.4-alpha-20260305100508-68481c1a0f538a007d2c67c59749e22c58fac4a8	npm ↗︎ unpkg ↗︎
@graphql-hive/core	0.21.0-alpha-20260305100508-68481c1a0f538a007d2c67c59749e22c58fac4a8	npm ↗︎ unpkg ↗︎
@graphql-hive/envelop	0.40.5-alpha-20260305100508-68481c1a0f538a007d2c67c59749e22c58fac4a8	npm ↗︎ unpkg ↗︎
@graphql-hive/yoga	0.48.0-alpha-20260305100508-68481c1a0f538a007d2c67c59749e22c58fac4a8	npm ↗︎ unpkg ↗︎
hive	9.6.0-alpha-20260305100508-68481c1a0f538a007d2c67c59749e22c58fac4a8	npm ↗︎ unpkg ↗︎

[jdolle]

I'd like feedback on this--
I added the dependsOn to match the organization member permission UI, but admittedly I don't know why we have this dependsOn.

I assume because the resolvers make calls that require project:describe, but I'd be open to removing this restriction and adjusting the resolvers to avoid having permissions depend on other permissions.

[n1ru4l]

The depends on is mostly for user permissions, so you do not assign manage project without project describe. We could drop the dependency here.

[github-actions]

🐋 This PR was built and pushed to the following Docker images:

Targets: build

Platforms: linux/amd64

Image Tag: 68481c1a0f538a007d2c67c59749e22c58fac4a8

[github-actions]

💻 Website Preview

The latest changes are available as preview in: https://pr-7773.hive-landing-page.pages.dev

[n1ru4l]

Can access tokens approve schema changes today? Also Mutation.approveFailedSchemaCheck is not really part of the public GraphQL schema.

Okay..., nevermind, just realized we support approving failed schema checks via the CLI since #7193. 🤦

Okay, in that case this makes sense!

[n1ru4l]

Good catch!