ci: add issue comment support for status checks

[joshblack]

Unfortunately our labeling workflow won't work if the PR is one from a fork 😞 Trying out one related to issue_comment so that we could have CI pass on PRs from forks.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1d2f65c

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[Copilot]

Pull Request Overview

This PR adds support for triggering status check overrides via issue comments, specifically to enable CI bypass for pull requests from forks where the label-based workflow doesn't work due to permission restrictions.

Key Changes:

• Adds issue_comment event trigger to the workflow
• Implements a new command-based flow using .skip-integration-checks comment
• Updates permissions to include issues: write for comment interactions

[Copilot]

The issue_comment event from forks is potentially unsafe because the workflow runs in the context of the base repository with elevated permissions (issues: write, pull-requests: write, statuses: write), but can be triggered by external contributors commenting on a PR.

While the github/command action provides some protection by requiring a specific command and permissions check, you should ensure that:

1. The action properly validates that the commenter has the required permissions in the repository
2. The permissions: write parameter correctly restricts to users with write access

Consider adding an explicit permission check or documenting the security model, especially since this is designed to work with PRs from forks where the PR author may not have write access.

Suggested change

	- name: Override status checks for issue comment
	if: ${{ github.event_name == 'issue_comment' && steps.command.outputs.continue == 'true' }}
	run: |
	- name: Check comment author permissions
	if: ${{ github.event_name == 'issue_comment' && steps.command.outputs.continue == 'true' }}
	id: author-permissions
	run: |
	AUTHOR="${{ github.event.comment.user.login }}"
	PERMISSION=$(gh api "/repos/${{ github.repository }}/collaborators/$AUTHOR/permission" --jq '.permission')
	echo "Author permission: $PERMISSION"
	if [[ "$PERMISSION" == "admin" || "$PERMISSION" == "write" || "$PERMISSION" == "maintain" ]]; then
	echo "has_write_access=true" >> $GITHUB_OUTPUT
	else
	echo "has_write_access=false" >> $GITHUB_OUTPUT
	fi
	env:
	GH_TOKEN: ${{ steps.generate_primer_token.outputs.token }}
	- name: Override status checks for issue comment
	if: ${{ github.event_name == 'issue_comment' && steps.command.outputs.continue == 'true' && steps.author-permissions.outputs.has_write_access == 'true' }}
	run: |

[Copilot]

The step "Override status checks for issue comment" lacks error handling when the gh pr view command fails. If NUMBER refers to an issue instead of a pull request (which is possible with the current issue_comment trigger), this command will fail.

Consider adding error handling or verifying the command succeeded before proceeding with the API calls:

run: |
  if ! SHA=$(gh pr view $NUMBER --json headRefOid --jq '.headRefOid' 2>/dev/null); then
    echo "Failed to get PR information for issue #$NUMBER"
    exit 1
  fi
  # ... rest of the script