ci: add write permissions and fork-PR guard to pr-checks workflow#25
ci: add write permissions and fork-PR guard to pr-checks workflow#25groupthinking merged 5 commits intomainfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Co-authored-by: groupthinking <154503486+groupthinking@users.noreply.github.com>
🔍 PR Validation |
1 similar comment
🔍 PR Validation |
There was a problem hiding this comment.
Pull request overview
Updates the PR validation GitHub Actions workflow to grant the GITHUB_TOKEN write access needed to post PR comments, addressing failures caused by insufficient default token permissions.
Changes:
- Added a top-level
permissionsblock topr-checks.ymlgrantingpull-requests: writeandissues: write.
| on: | ||
| pull_request: | ||
| types: [opened, reopened, synchronize, edited] | ||
| permissions: | ||
| pull-requests: write | ||
| issues: write |
There was a problem hiding this comment.
Even with explicit workflow permissions, pull_request workflows from forked repos still get a read-only GITHUB_TOKEN, so comment posting can continue to fail with Resource not accessible by integration. If you expect fork PRs, consider guarding the comment call (skip for forks) or moving to pull_request_target with appropriate hardening.
There was a problem hiding this comment.
Added a fork-PR guard in 3ded7e0 — the workflow now checks pr.head.repo.full_name === pr.base.repo.full_name before attempting to comment. Fork PRs skip the createComment call and instead log validation issues as warnings in the workflow output so authors can still see what needs fixing.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
| permissions: | ||
| issues: write |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
|
@copilot apply changes based on the comments in this thread |
Co-authored-by: groupthinking <154503486+groupthinking@users.noreply.github.com>
Applied both review suggestions in |
| body: comment | ||
| }); | ||
| // Fork PRs get a read-only GITHUB_TOKEN; skip commenting to avoid errors | ||
| if (pr.head.repo.full_name === pr.base.repo.full_name) { |
This comment was marked as outdated.
This comment was marked as outdated.
Sorry, something went wrong.
PR validation workflow fails with
Resource not accessible by integrationwhen attempting to post comments viagithub.rest.issues.createComment, because the defaultGITHUB_TOKENlacks write access.permissionsblock granting onlyissues: write(least-privilege, since the workflow only callsissues.createComment)pr.head.repo.full_name === pr.base.repo.full_namebefore attempting to comment, since fork PRs always receive a read-onlyGITHUB_TOKENregardless of workflow permissions✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.