From ee3d931301d07adf54ad07f74bc598f20ba63d04 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 7 Feb 2026 06:41:04 +0000
Subject: [PATCH 1/4] Initial plan


From 98552d94578f4546a07b90be2e9b81b6aa9cdacc Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 7 Feb 2026 06:42:01 +0000
Subject: [PATCH 2/4] ci: add permissions block to pr-checks.yml for PR comment
 access

Co-authored-by: groupthinking <154503486+groupthinking@users.noreply.github.com>
---
 .github/workflows/pr-checks.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index 03c5ca42..d3b7d730 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -2,6 +2,9 @@ name: PR Checks
 on:
   pull_request:
     types: [opened, reopened, synchronize, edited]
+permissions:
+  pull-requests: write
+  issues: write
 jobs:
   validate:
     runs-on: ubuntu-latest

From b21f8e79206f7746fc5912f645cf1c844659896b Mon Sep 17 00:00:00 2001
From: Hayden <154503486+groupthinking@users.noreply.github.com>
Date: Sat, 7 Feb 2026 02:14:10 -0600
Subject: [PATCH 3/4] Update .github/workflows/pr-checks.yml

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 .github/workflows/pr-checks.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index d3b7d730..466f8018 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -3,7 +3,6 @@ on:
   pull_request:
     types: [opened, reopened, synchronize, edited]
 permissions:
-  pull-requests: write
   issues: write
 jobs:
   validate:

From 3ded7e0f03ffbca6e3889776d2035d9b62b95863 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 7 Feb 2026 08:23:31 +0000
Subject: [PATCH 4/4] ci: guard PR comment for fork PRs and apply
 least-privilege permissions

Co-authored-by: groupthinking <154503486+groupthinking@users.noreply.github.com>
---
 .github/workflows/pr-checks.yml | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
index 466f8018..9abb9b83 100644
--- a/.github/workflows/pr-checks.yml
+++ b/.github/workflows/pr-checks.yml
@@ -31,12 +31,18 @@ jobs:
             }
 
             if (issues.length > 0) {
-              const comment = `## 🔍 PR Validation\n\n${issues.join('\n')}`;
-              await github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: pr.number,
-                body: comment
-              });
+              // Fork PRs get a read-only GITHUB_TOKEN; skip commenting to avoid errors
+              if (pr.head.repo.full_name === pr.base.repo.full_name) {
+                const comment = `## 🔍 PR Validation\n\n${issues.join('\n')}`;
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pr.number,
+                  body: comment
+                });
+              } else {
+                core.warning('Skipping PR comment for fork PR (read-only token)');
+                issues.forEach(issue => core.warning(issue));
+              }
               core.setFailed('PR validation failed');
             }