From f10835d77042d5e2dc44cd80eb856ca5a8e9c174 Mon Sep 17 00:00:00 2001
From: Ian Winsemius <ianwinsemius@github.com>
Date: Wed, 20 May 2026 10:35:00 -0700
Subject: [PATCH] ci: make recommend workflow fork-safe
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Recommend integration tests workflow runs on every `pull_request`
event, including PRs opened from forks. When triggered by a fork PR the
provided GITHUB_TOKEN has read-only access to the upstream repo and any
write call (addLabels / createComment) returns:

  HttpError: Resource not accessible by integration (HTTP 403)

That failure surfaces as a red 'recommend' check on every fork PR even
when the underlying source code is fine. It's also misleading: the
job's job is to recommend integration tests, not to gate the PR on its
own infra success.

Fix: wrap the label and comment API calls in a small helper that
catches 403s and logs an actionable message instead of throwing. The
job runs to completion green, and maintainers can apply the
'integration-tests: recommended' label manually if the change warrants
integration testing.

Comment writes are additionally skipped entirely on fork PRs because
the GitHub UI already shows a banner explaining how external
contributors can request review — a bot comment to a fork PR author
who cannot apply labels themselves would just add noise.

This is a CI-only change with no runtime impact, so it does not include
a changeset (per .github/skills/changesets/SKILL.md). The PR needs the
`skip changeset` label applied by a maintainer.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../workflows/recommend-integration-tests.yml | 48 +++++++++++++++----
 1 file changed, 38 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/recommend-integration-tests.yml b/.github/workflows/recommend-integration-tests.yml
index 20233cc5202..5693d0e2f30 100644
--- a/.github/workflows/recommend-integration-tests.yml
+++ b/.github/workflows/recommend-integration-tests.yml
@@ -49,23 +49,51 @@ jobs:
               repo: context.repo.repo
             }
 
+            // When this workflow runs for a PR opened from a fork, the
+            // GITHUB_TOKEN has read-only access to the upstream repo and
+            // any write call (addLabels / createComment) returns
+            // `Resource not accessible by integration` (HTTP 403). That
+            // is the right security boundary, but it causes this check
+            // to fail on every fork PR which is misleading: the failure
+            // is not a problem with the PR's source code.
+            //
+            // Soft-fail those writes so the check stays green for fork
+            // PRs. Maintainers can still apply the label manually if
+            // they want to recommend integration tests for the change.
+            const isFork = context.payload.pull_request?.head?.repo?.full_name !== context.payload.repository?.full_name
+            const softWrite = async (operation, fn) => {
+              try {
+                await fn()
+              } catch (error) {
+                if (error.status === 403) {
+                  core.info(`Skipped ${operation}: GITHUB_TOKEN cannot write to this repository from a forked PR. A maintainer can apply the '${INTEGRATION_LABEL_NAMES.recommended}' label manually if integration tests are warranted.`)
+                  return
+                }
+                throw error
+              }
+            }
+
             const labels = await github.paginate(github.rest.issues.listLabelsOnIssue, issue);
             const integrationLabels = labels.filter(label => label.name.startsWith('integration-tests'))
             const hasPassingLabel = integrationLabels.find(label => label.name === INTEGRATION_LABEL_NAMES.passing)
 
             if (integrationLabels.length === 0) {
               // recommend integration tests
-              await github.rest.issues.addLabels({...issue, labels: [INTEGRATION_LABEL_NAMES.recommended]})
-              await github.rest.issues.createComment({
-                ...issue,
-                body: '<!-- recommend-integration-tests.yml -->\n\n # ⚠️ Action required \n\n :wave: Hi, this pull request contains changes to the source code that github/github-ui depends on. If you are GitHub staff, test these changes with github/github-ui using the [integration workflow](https://github.com/github/github-ui/actions/workflows/primer-react-pr-test.yml). Check the [integration testing docs](https://gh.io/testing_primer_at_dotcom) for step-by-step instructions. Or, apply the `integration-tests: skipped manually` label to skip these checks.\n\nTo publish a canary release for integration testing, apply the `Canary Release` label to this PR.'
-              })
+              await softWrite('addLabels', () => github.rest.issues.addLabels({...issue, labels: [INTEGRATION_LABEL_NAMES.recommended]}))
+              if (!isFork) {
+                await softWrite('createComment', () => github.rest.issues.createComment({
+                  ...issue,
+                  body: '<!-- recommend-integration-tests.yml -->\n\n # ⚠️ Action required \n\n :wave: Hi, this pull request contains changes to the source code that github/github-ui depends on. If you are GitHub staff, test these changes with github/github-ui using the [integration workflow](https://github.com/github/github-ui/actions/workflows/primer-react-pr-test.yml). Check the [integration testing docs](https://gh.io/testing_primer_at_dotcom) for step-by-step instructions. Or, apply the `integration-tests: skipped manually` label to skip these checks.\n\nTo publish a canary release for integration testing, apply the `Canary Release` label to this PR.'
+                }))
+              }
             } else if (hasPassingLabel) {
               // recommend running integration tests again as there are new commits that might change the status
               // note: we don't remove 'integration-tests: passing' label because this is only a suggestion/nudge
-              await github.rest.issues.addLabels({...issue, labels: [INTEGRATION_LABEL_NAMES.recommended]})
-              await github.rest.issues.createComment({
-                ...issue,
-                body: '<!-- recommend-integration-tests.yml -->\n\n # ⚠️ Action required \n\n :wave: Hi, there are new commits since the last successful integration test. If you are GitHub staff, test these changes with github/github-ui using the [integration workflow](https://github.com/github/github-ui/actions/workflows/primer-react-pr-test.yml). Check the [integration testing docs](https://gh.io/testing_primer_at_dotcom) for step-by-step instructions. Or, apply the `integration-tests: skipped manually` label to skip these checks.'
-              })
+              await softWrite('addLabels', () => github.rest.issues.addLabels({...issue, labels: [INTEGRATION_LABEL_NAMES.recommended]}))
+              if (!isFork) {
+                await softWrite('createComment', () => github.rest.issues.createComment({
+                  ...issue,
+                  body: '<!-- recommend-integration-tests.yml -->\n\n # ⚠️ Action required \n\n :wave: Hi, there are new commits since the last successful integration test. If you are GitHub staff, test these changes with github/github-ui using the [integration workflow](https://github.com/github/github-ui/actions/workflows/primer-react-pr-test.yml). Check the [integration testing docs](https://gh.io/testing_primer_at_dotcom) for step-by-step instructions. Or, apply the `integration-tests: skipped manually` label to skip these checks.'
+                }))
+              }
             }