fix(ci): allow fork PRs to post DB entity comments

[xsahil03x]

Summary

check_db_entities was failing on fork PRs (e.g. #2700 run) with:

RequestError [HttpError]: Resource not accessible by integration
POST https://api.github.com/repos/GetStream/stream-chat-flutter/issues/{n}/comments
status: 403

on: pull_request from a fork gives GITHUB_TOKEN read-only perms, so peter-evans/create-or-update-comment can't POST.

Changes

• on: pull_request → on: pull_request_target so the bot gets a write token regardless of PR origin.
• Concurrency key now includes the PR number (${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}). Under pull_request_target, github.ref is the base branch, so the previous key would have collapsed all PRs targeting the same base into one concurrency group and cancelled each other.
• Add a workflow-level permissions: block scoped to contents: read + pull-requests: write.
• Fetch the PR head SHA and switch from git diff-index (working tree vs. base) to git diff base...pr_head (between refs). Needed because pull_request_target checks out the base branch by default; using diff-between-refs also means PR-controlled file contents never reach a working tree under the privileged token, so smudge filters / hooks / scripts in the PR can't execute.

Security notes

• No PR-supplied code runs: just git fetch, git diff --name-only, grep, and two API-only JS actions.
• ${{ steps.check_entities.outputs.modified_files }} is interpolated into the comment body (not a shell step), so attacker-crafted filenames can only produce odd markdown, not RCE.
• Write token scoped to a single permission (pull-requests: write) — leaked token can only post PR comments.

Test plan

• Land this on master. (Note: pull_request_target always uses the base-branch copy of the workflow, so the fix is only verifiable on the next fork PR after merge.)
• On a fork PR that touches packages/stream_chat_persistence/lib/src/entity/*.dart, the bot posts/updates the "Database Entity Files Modified" comment.
• On a fork PR that doesn't touch entity files, the job exits success without commenting.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Improved CI checks for detecting persistence/entity changes in pull requests, reducing redundant runs and providing faster, more accurate feedback.

---

Note: This release contains only internal infrastructure improvements with no visible changes to end-user functionality.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Workflow trigger changed to pull_request_target, workflow permissions set to contents: read, issues: write, and pull-requests: write. The job computes PR_HEAD_SHA, fetches it as a ref without checking out, diffs origin/$BASE_BRANCH...$PR_HEAD_SHA for packages/stream_chat_persistence/lib/src/entity/*.dart, and writes modified *.dart paths or exits early.

Changes

Pull Request Target Security Hardening

Layer / File(s)	Summary
Trigger and permissions hardening .github/workflows/check_db_entities.yml	Workflow trigger changed from pull_request to pull_request_target, concurrency grouped by PR number (with github.ref fallback), and workflow-level permissions set to contents: read, issues: write, and pull-requests: write.
Secure ref-based entity detection .github/workflows/check_db_entities.yml	Entity detection now derives PR_HEAD_SHA, fetches the PR head ref without updating the worktree, and diffs origin/$BASE_BRANCH...$PR_HEAD_SHA limited to packages/stream_chat_persistence/lib/src/entity filtered to *.dart, writing results to modified_entities or exiting if none found.

---

🎯 4 (Complex) | ⏱️ ~45 minutes

---

🐰
I fetch the head with careful paws,
I read the diffs without a cause,
Only entity darts I softly spy,
No checkout leaps — just a quiet sigh,
Workflow safe beneath moonlit laws.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix(ci): allow fork PRs to post DB entity comments' accurately and concisely summarizes the main change: enabling the CI workflow to work properly for fork-originated pull requests by fixing permissions issues.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/ci-check-db-entities-fork-perms

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/check_db_entities.yml:
- Around line 53-54: The workflow uses mutable version tags (e.g.,
actions/checkout@v6, dorny/paths-filter@v3, peter-evans/find-comment@v4,
peter-evans/create-or-update-comment@v5) which must be pinned to immutable
commit SHAs for security when running in pull_request_target; update each uses:
entry to the corresponding full commit SHA (replace the tag after each
identifier with the repo's specific commit hash) so actions/checkout,
dorny/paths-filter, peter-evans/find-comment and
peter-evans/create-or-update-comment are referenced by commit SHAs rather than
version tags.
- Around line 14-16: The concurrency.group currently uses github.workflow and
github.ref which under pull_request_target resolves to the base branch and
causes unrelated PR runs to collide; update the concurrency.group expression
(the key used under concurrency) to include a per-PR identifier such as
github.event.pull_request.number or github.head_ref (e.g., use
github.workflow-${{ github.event.pull_request.number }} or include
github.head_ref) so each PR run has a unique concurrency key when using
pull_request_target.
- Around line 18-21: The workflow currently grants pull-requests: write at the
top-level permissions; restrict that write permission to only the job that needs
it by removing or changing the top-level pull-requests permission and adding
permissions: pull-requests: write under the check_entity_modifications job.
Specifically, keep top-level permissions.contents: read (or set pull-requests:
none), and add a job-level permissions block inside the
check_entity_modifications job that sets pull-requests: write so the gate job
(which runs dorny/paths-filter) does not receive write access.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e724ef79-3f9a-4bbc-9ce3-3ed0dac582dd

📥 Commits

Reviewing files that changed from the base of the PR and between 093743a and 2c872ca.

📒 Files selected for processing (1)

• .github/workflows/check_db_entities.yml

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/check_db_entities.yml (1)

68-74: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don't swallow git diff failures.

Line 68 currently treats "no .dart matches" and "couldn't compute the diff" the same way because the pipeline ends with || true. If ref resolution or diffing breaks, this job will incorrectly emit has_changes=false and skip the warning comment.

Suggested change

-          git diff --name-only "origin/$BASE_BRANCH...$PR_HEAD_SHA" -- $ENTITY_DIR | grep -E '\.dart$' > $TEMP_FILE || true
+          ALL_CHANGED_FILE="${TEMP_FILE}.all"
+          git diff --name-only "origin/$BASE_BRANCH...$PR_HEAD_SHA" -- "$ENTITY_DIR" > "$ALL_CHANGED_FILE"
+          grep -E '\.dart$' "$ALL_CHANGED_FILE" > "$TEMP_FILE" || true

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/check_db_entities.yml around lines 68 - 74, The pipeline
is currently masking failures of the git diff + grep pipeline due to the
trailing "|| true"; enable proper failure propagation by turning on pipefail
(e.g., set -o pipefail) before running the pipeline and remove the "|| true" so
any git diff or grep failure surfaces; keep the existing check that inspects
TEMP_FILE (and writes has_changes=false to GITHUB_OUTPUT when it's empty) but
ensure that if the git diff pipeline fails you exit with an error instead of
treating it as "no changes" — reference the pipeline command that writes to
TEMP_FILE (git diff --name-only "origin/$BASE_BRANCH...$PR_HEAD_SHA" --
$ENTITY_DIR | grep -E '\.dart$' > $TEMP_FILE) and the TEMP_FILE / has_changes /
GITHUB_OUTPUT logic when making the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/check_db_entities.yml:
- Around line 14-16: The workflow-level permissions block is missing issues:
write which is required by the peter-evans/create-or-update-comment@v5 action;
update the permissions map in .github/workflows/check_db_entities.yml by adding
issues: write alongside pull-requests: write and contents: read so the
create-or-update-comment step can post comments (refer to the permissions block
and the peter-evans/create-or-update-comment@v5 action name to locate the
change).

---

Outside diff comments:
In @.github/workflows/check_db_entities.yml:
- Around line 68-74: The pipeline is currently masking failures of the git diff
+ grep pipeline due to the trailing "|| true"; enable proper failure propagation
by turning on pipefail (e.g., set -o pipefail) before running the pipeline and
remove the "|| true" so any git diff or grep failure surfaces; keep the existing
check that inspects TEMP_FILE (and writes has_changes=false to GITHUB_OUTPUT
when it's empty) but ensure that if the git diff pipeline fails you exit with an
error instead of treating it as "no changes" — reference the pipeline command
that writes to TEMP_FILE (git diff --name-only
"origin/$BASE_BRANCH...$PR_HEAD_SHA" -- $ENTITY_DIR | grep -E '\.dart$' >
$TEMP_FILE) and the TEMP_FILE / has_changes / GITHUB_OUTPUT logic when making
the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: effa0ddf-d2e4-4954-82ed-1340011e76f6

📥 Commits

Reviewing files that changed from the base of the PR and between 1a1d6af and 73a780b.

📒 Files selected for processing (1)

• .github/workflows/check_db_entities.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/check_db_entities.yml:
- Around line 63-69: The workflow currently shallow-fetches the PR head with
--depth=1 and silences git diff failures with "|| true", which can hide
merge-base issues; update the fetch and diff steps to fetch sufficient history
for merge-base resolution (ensure both origin/$BASE_BRANCH and the PR head ref
are fetched without --depth=1 or explicitly fetch the merge-base with git fetch
--unshallow) and remove the trailing "|| true" so a failing git diff/grep
returns a non-zero exit code; reference the PR_HEAD_SHA, BASE_BRANCH, ENTITY_DIR
and TEMP_FILE variables when making these changes and keep the git diff command
using the three-dot "origin/$BASE_BRANCH...$PR_HEAD_SHA".

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 45def8a3-ba63-4d51-bc4a-e6e48fb44a98

📥 Commits

Reviewing files that changed from the base of the PR and between 73a780b and 4aea8bc.

📒 Files selected for processing (1)

• .github/workflows/check_db_entities.yml