From bc2eb75de179af4bd3486be77d55395c6688802e Mon Sep 17 00:00:00 2001 From: bearomorphism Date: Fri, 8 May 2026 16:30:10 +0800 Subject: [PATCH] ci(test): skip test-trigger-other-job when token is read-only The test-trigger-other-job job runs `gh workflow run`, which requires `actions: write` on the GITHUB_TOKEN. The job has been failing on: - Fork PRs (e.g. contributor PRs from forks): fork-originated PRs always receive a read-only GITHUB_TOKEN. - Dependabot PRs (e.g. #15): even though dependabot creates branches in the same repo, the dependabot[bot] actor receives a restricted token by default. Both produce: could not create workflow dispatch event: HTTP 403: Resource not accessible by integration Skip this job in both cases by gating on `head.repo.full_name` and on `github.actor`. The job continues to run on PRs from same-repo branches authored by humans, where the token has the required permissions. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/test.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 811e217..9f94587 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -81,6 +81,14 @@ jobs: assert.ok(changelogContent.includes('### Fix'), 'Expected changelog to contain a header for fixes'); test-trigger-other-job: runs-on: ubuntu-latest + # Skip when the token will be read-only and `gh workflow run` would + # fail with HTTP 403 ("Resource not accessible by integration"): + # - Fork PRs: GITHUB_TOKEN is always read-only on fork-originated PRs. + # - Dependabot PRs: even though the branch is in the same repo, the + # dependabot[bot] actor receives a restricted token by default. + if: >- + github.event.pull_request.head.repo.full_name == github.repository && + github.actor != 'dependabot[bot]' steps: - uses: actions/checkout@v6 with: