Fix fork PR docs workflow#2910
Open
antonwolfy wants to merge 7 commits into
Open
Conversation
The workflow incorrectly checked `base.repo.fork` (whether the target repository is a fork) instead of `head.repo.fork` (whether the source repository is a fork). This caused all PRs to IntelPython/dpnp to be treated as upstream PRs, including fork PRs, which led to 403 errors when trying to push to gh-pages. Changes: - Line 15: Changed base.repo.fork -> head.repo.fork in GH_EVENT_OPEN_PR_UPSTREAM - Line 238: Changed base.repo.fork -> head.repo.fork in clean job condition This bug was introduced in commit cb801da (PR #2146, Nov 2024). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Fork PRs cannot push to gh-pages due to restricted permissions, which causes 403 errors. This commit adds logic to detect fork PRs and handle them differently: - Added "Check if fork PR" step to detect fork PRs - Added "Upload docs artifact" step to save built docs as artifacts for fork PRs - Modified "Publish pull-request docs" to skip fork PRs Fork PRs will now pass the workflow by uploading artifacts instead of attempting to publish to gh-pages. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Added unified comment step that posts different messages based on PR type: - Fork PRs: Get detailed instructions for downloading and viewing docs artifact, including both gh CLI method and manual download steps - Upstream PRs: Get direct URL to published docs on GitHub Pages Both comment types use the same message-id so they update on subsequent pushes to the PR. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
The GH_EVENT_OPEN_PR_UPSTREAM environment variable is no longer needed since we now explicitly check fork status with steps.check_fork.outputs.is_fork. Replaced with inline conditions that are more explicit and easier to read: - github.event_name == 'pull_request' - github.event.action != 'closed' - steps.check_fork.outputs.is_fork == 'false' Kept GH_EVENT_PUSH_UPSTREAM as it's still used for push-to-master deployments. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Contributor
|
View rendered docs @ https://intelpython.github.io/dpnp/pull/2910/index.html |
Contributor
|
Array API standard conformance tests for dpnp=0.21.0dev0=py313h509198e_23 ran successfully. |
antonwolfy
force-pushed
the
fix-fork-pr-docs-workflow
branch
from
5e5f807 to
5c3b452
Compare
Fork PRs run with read-only GITHUB_TOKEN and cannot post comments, causing "Resource not accessible by integration" errors. Changes: - Added condition to skip comment step for fork PRs - Fork PR artifacts remain accessible via workflow run's Artifacts section - Added documentation link explaining the GitHub security restriction Reference: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Collaborator
|
coverage: 78.441% (-0.003%) from 78.444% — fix-fork-pr-docs-workflow into master |
Replaced repeated condition `github.event_name == 'pull_request' && github.event.action != 'closed'` with a single environment variable `GH_EVENT_PR_OPEN` for better readability and maintainability. Updated 3 steps to use the new variable: - Upload docs artifact (Fork PRs) - Publish pull-request docs - Comment with URL to published pull-request docs Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
antonwolfy
requested review from
ndgrigorian and
vlad-perevezentsev
as code owners
Contributor
|
View rendered docs @ https://intelpython.github.io/dpnp/pull/2910/index.html |
| - name: Copy backend docs | ||
| run: cp -r dpnp/backend/doc/html ${{ env.PUBLISH_DIR }}/backend_doc | ||
|
|
||
| # Detect if this is a fork PR |
Contributor
There was a problem hiding this comment.
Why was a separate step added for that?
Would it be simpler to use a workflow env variable directly?
GH_EVENT_PR_FORK: ${{ github.event_name == 'pull_request' &&
github.event.action != 'closed' &&
github.event.pull_request.head.repo.fork }}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Fork PRs to this repository fail the
Build Sphinxworkflow with a 403 permission error:GitHub Security Context
Fork PRs run with read-only
GITHUB_TOKENand cannot:gh-pages)Reference: GitHub Actions documentation on fork PR security
This is a security feature that cannot be overridden by workflow permissions.
Solution
This PR implements a conditional publishing strategy that respects GitHub's fork PR security model:
For Upstream PRs (same-repo branches):
✅ Builds documentation
✅ Publishes to GitHub Pages (
gh-pagesbranch)✅ Comments with direct URL: https://intelpython.github.io/dpnp/pull/{number}/index.html
✅ Workflow passes
For Fork PRs:
✅ Builds documentation
✅ Uploads as workflow artifact (30-day retention)
✅ Workflow passes (no 403 error)
ℹ️ No comment (cannot post due to read-only token)
ℹ️ Artifact visible in workflow run's "Artifacts" section