Skip to content

fix: use pull_request_target for fork PR support#958

Merged
jesseturner21 merged 2 commits intoaws:mainfrom
jesseturner21:fix/label-continue-on-error
Apr 24, 2026
Merged

fix: use pull_request_target for fork PR support#958
jesseturner21 merged 2 commits intoaws:mainfrom
jesseturner21:fix/label-continue-on-error

Conversation

@jesseturner21
Copy link
Copy Markdown
Contributor

@jesseturner21 jesseturner21 commented Apr 24, 2026
edited
Loading

Summary

  • Switches the AI review workflow trigger from pull_request to pull_request_target
  • pull_request gives fork PRs a read-only GITHUB_TOKEN, which blocks labels, secrets, and the review entirely
  • pull_request_target runs in the base repo context with full write permissions and secret access
  • This is safe because we never check out or execute fork code — the Checkout step gets the base branch (where the review scripts live), and the harness fetches the PR diff via the GitHub API

Test plan

  • Open/reopen a fork PR from an agentcore-cli-devs member and verify the label is added, the review runs, and the label is removed
  • Verify workflow_dispatch still works

@jesseturner21
fix: make label step non-blocking for fork PRs
5ff27b5 
Fork PRs get read-only GITHUB_TOKEN regardless of workflow permissions,
causing the addLabels API call to fail with 403. This crashed the entire
job before the review could run. continue-on-error lets the review
proceed even when labeling fails.
@jesseturner21 jesseturner21 requested a review from a team April 24, 2026 19:13
@github-actions github-actions Bot added the size/xs PR size: XS label Apr 24, 2026
@jesseturner21
fix: use pull_request_target for full write access on fork PRs
125505c 
pull_request gives a read-only GITHUB_TOKEN for fork PRs, preventing
labels and secrets from working. pull_request_target runs in the base
repo context with full permissions. This is safe because we never
check out or execute fork code — the harness fetches the PR diff via
the GitHub API.
@jesseturner21 jesseturner21 changed the title fix: make label step non-blocking for fork PRs fix: use pull_request_target for fork PR support Apr 24, 2026
@github-actions github-actions Bot added size/xs PR size: XS and removed size/xs PR size: XS labels Apr 24, 2026
Hweinstock
Hweinstock approved these changes Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Hweinstock Hweinstock left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

noice

@jesseturner21 jesseturner21 merged commit 933bac8 into aws:main Apr 24, 2026
17 of 18 checks passed
@jesseturner21 jesseturner21 mentioned this pull request Apr 24, 2026
Open
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Hweinstock Hweinstock Hweinstock approved these changes

Assignees

No one assigned

Labels

size/xs PR size: XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jesseturner21 @Hweinstock