Fix: Handle missing session token in checkRepoPermissions (webhook-safe fallback)

[issuetopr-dev]

Summary
When running the I2PR: Resolve Issue workflow via a GitHub webhook, checkRepoPermissions threw "Failed to check permissions: No session token found" because it relied solely on a user session (OAuth) path. In webhook/worker contexts there is no user session: we should rely on the GitHub App installation token instead.

Key changes

• Update lib/github/users.ts checkRepoPermissions to:
  • Prefer installation-based permission checks derived from the target repo (works without a user session).
  • Gracefully handle 404 (app not installed on repo) by returning canPush/canCreatePR = false with a reason message.
  • Fall back to the prior user-session-based approach (listUserAppRepositories) when installation checks are unavailable.
  • Avoid throwing for common cases; instead, return a RepoPermissions object with a descriptive reason.

Why this approach?

• Webhook-triggered workflows run server-side without a user session; using the installation associated with the repo is the correct source of truth.
• Returning structured RepoPermissions avoids exception control-flow for expected conditions (missing app install, insufficient scopes) and aligns with how callers consume the function.

Behavioral notes

• canPush is determined by installation permission contents === "write".
• canCreatePR is determined by installation permission pull_requests === "write".
• If installation check fails for non-404 reasons, we fall back to the previous user-based method; if both fail, we return a false/false result with a reason including the underlying error.

Impact

• Prevents the error "No session token found" when workflows run under GitHub App context (e.g., webhooks).
• Maintains compatibility with existing callers.

Tests and lint

• next lint passes locally.

Future work

• Consider converging the duplicated checkRepoPermissions implementation across lib/ and shared/.
• Optionally adopt a Result (Ok/Err) return type throughout workflows for even clearer error handling, as mentioned in the issue.

Closes #1304

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}