Fix pr-review.yml workflow permissions for fork PRs

[Copilot]

The workflow fails to comment on PRs from forks due to insufficient GITHUB_TOKEN permissions with the pull_request event.

Changes

• Trigger: pull_request → pull_request_target for fork PR write permissions
• Permissions: contents: write → contents: read (least privilege)
• Checkout: Added explicit ref: ${{ github.event.pull_request.head.sha }}
• Condition: Updated event check to pull_request_target

 on:
-  pull_request:
+  pull_request_target:
     branches: [main, master]
   
 jobs:
   build-deploy:
     permissions:
-      contents: write
+      contents: read
       pull-requests: write
     steps:
       - uses: actions/checkout@v4
         with:
+          ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0

Security Note

Workflow executes PR code (Quarto rendering) by design. Explicit SHA checkout ensures transparency; no additional secrets exposed.

Original prompt

Problem

The pr-review.yml workflow is failing on the "Comment PR with artifact link" step when running on pull requests from forked repositories. This is due to insufficient permissions - the GITHUB_TOKEN has limited write permissions for fork PRs when using the pull_request event.

Solution

Update .github/workflows/pr-review.yml to use pull_request_target event instead of pull_request. This change will:

1. Change the trigger event from pull_request to pull_request_target to gain necessary permissions for commenting on PRs from forks
2. Update the checkout step to explicitly checkout the PR's head SHA to ensure we're working with the correct code from the pull request
3. Adjust permissions to follow the principle of least privilege:
   • Change contents: write to contents: read (we don't need write access to repo contents)
   • Keep pull-requests: write for commenting on PRs

Specific Changes Required

In .github/workflows/pr-review.yml:

1. Line 2: Change pull_request: to pull_request_target:
2. Line 20: Change contents: write to contents: read
3. Lines 24-26: Update the checkout step to include:

   - name: Checkout repo
     uses: actions/checkout@v4
     with:
       ref: ${{ github.event.pull_request.head.sha }}
       fetch-depth: 0

Security Considerations

Using pull_request_target is safe in this workflow because:

• We explicitly checkout the PR code using ref: ${{ github.event.pull_request.head.sha }}
• The workflow executes controlled operations (Quarto rendering)
• We follow the principle of least privilege with permissions

Reference

• Related to PR Fix error #245 where this issue was discovered
• GitHub documentation: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

This pull request was created from Copilot chat.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.