From cb6929ccb3307d659ae0e399b2317030a1e81f75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?JB=20Onofr=C3=A9?= <jb.onofre@dremio.com>
Date: Wed, 18 Mar 2026 05:25:38 +0100
Subject: [PATCH] ci: use workflow_run to publish test results on fork PRs
 (backport #2450)

The publish-unit-test-result-action requires write permissions to post
PR comments and check runs, but fork PRs run with read-only tokens.
Move test result publishing to a separate workflow triggered by
workflow_run, which runs in the base repo context with write access.
---
 .github/workflows/ci-test-results.yml | 57 +++++++++++++++++++++++++++
 .github/workflows/ci.yml              | 10 -----
 2 files changed, 57 insertions(+), 10 deletions(-)
 create mode 100644 .github/workflows/ci-test-results.yml

diff --git a/.github/workflows/ci-test-results.yml b/.github/workflows/ci-test-results.yml
new file mode 100644
index 00000000000..6ac71c7d1bb
--- /dev/null
+++ b/.github/workflows/ci-test-results.yml
@@ -0,0 +1,57 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+
+name: CI Test Results
+
+on:
+  workflow_run:
+    workflows: ["CI"]
+    types:
+      - completed
+
+permissions:
+  contents: read
+  checks: write
+  pull-requests: write
+  actions: read
+
+jobs:
+  test-results:
+    name: Publish Test Results
+    runs-on: ubuntu-24.04
+    if: github.event.workflow_run.conclusion != 'skipped'
+
+    steps:
+      - name: Download and Extract Artifacts
+        uses: dawidd6/action-download-artifact@v8
+        with:
+          run_id: ${{ github.event.workflow_run.id }}
+          name: test-results
+          path: artifacts
+
+      - name: Publish Test Results
+        uses: EnricoMi/publish-unit-test-result-action@v2
+        with:
+          commit: ${{ github.event.workflow_run.head_sha }}
+          event_file: ${{ github.event.workflow_run.event_path }}
+          event_name: ${{ github.event.workflow_run.event }}
+          large_files: true
+          report_individual_runs: true
+          report_suite_logs: error
+          files: 'artifacts/**/*.xml'
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 411b91fef70..3ebc9a54454 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -57,8 +57,6 @@ jobs:
 
     permissions:
       contents: read
-      checks: write
-      pull-requests: write
 
     runs-on: ubuntu-24.04
 
@@ -85,11 +83,3 @@ jobs:
         with:
           name: test-results
           path: '**/target/surefire-reports/*.xml'
-      - name: Publish Test Results
-        if: always()
-        uses: EnricoMi/publish-unit-test-result-action@v2
-        with:
-          large_files: true
-          report_individual_runs: true
-          report_suite_logs: error
-          files: '**/target/surefire-reports/*.xml'