Skip to content

ci: add write permissions and fork-PR guard to pr-checks workflow #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
groupthinking merged 5 commits into from
Feb 7, 2026
Merged

ci: add write permissions and fork-PR guard to pr-checks workflow #25

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ee3d931
Initial plan
Copilot Feb 7, 2026
98552d9
ci: add permissions block to pr-checks.yml for PR comment access
Copilot Feb 7, 2026
b21f8e7
Update .github/workflows/pr-checks.yml
groupthinking Feb 7, 2026
3ded7e0
ci: guard PR comment for fork PRs and apply least-privilege permissions
Copilot Feb 7, 2026
3d55eab
Merge branch 'main' into copilot/fix-pr-checks-permissions
groupthinking Feb 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 15 additions & 7 deletions .github/workflows/pr-checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ name: PR Checks
on:
pull_request:
types: [opened, reopened, synchronize, edited]
permissions:
issues: write
Comment on lines 2 to 6
Copy link

Copilot AI Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even with explicit workflow permissions, pull_request workflows from forked repos still get a read-only GITHUB_TOKEN, so comment posting can continue to fail with Resource not accessible by integration. If you expect fork PRs, consider guarding the comment call (skip for forks) or moving to pull_request_target with appropriate hardening.

Copilot uses AI. Check for mistakes.
Copy link
Contributor Author

Copilot AI Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a fork-PR guard in 3ded7e0 — the workflow now checks pr.head.repo.full_name === pr.base.repo.full_name before attempting to comment. Fork PRs skip the createComment call and instead log validation issues as warnings in the workflow output so authors can still see what needs fixing.

Comment on lines +5 to +6

This comment was marked as outdated.

Sign in to view

jobs:
validate:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -29,12 +31,18 @@ jobs:
}

if (issues.length > 0) {
const comment = `## 🔍 PR Validation\n\n${issues.join('\n')}`;
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
body: comment
});
// Fork PRs get a read-only GITHUB_TOKEN; skip commenting to avoid errors
if (pr.head.repo.full_name === pr.base.repo.full_name) {

This comment was marked as outdated.

Sign in to view

const comment = `## 🔍 PR Validation\n\n${issues.join('\n')}`;
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
body: comment
});
} else {
core.warning('Skipping PR comment for fork PR (read-only token)');
issues.forEach(issue => core.warning(issue));
}
core.setFailed('PR validation failed');
}
Loading