Fix CI for PR from Fork#493
Open
antoine-le-calloch wants to merge 1 commit into
Open
Conversation
…egration`) on PRs opened from forks. GitHub forces the `GITHUB_TOKEN` to be read-only in that case, so the action can't post comments. The comment-posting job is now moved to a separate `workflow_run`, which runs in the base-repo context and therefore gets a writable token, even for forks. The test job (which runs the PR's code) stays read-only and passes the results through an artifact.
Contributor
There was a problem hiding this comment.
Pull request overview
Splits throughput-result PR commenting out of the main throughput test workflow so PRs from forks (with read-only GITHUB_TOKEN) can still run tests safely, while posting the comment happens in a base-repo workflow_run context with a writable token.
Changes:
- Reduced permissions in the throughput aggregation job and replaced direct PR commenting with an uploaded “comment payload” artifact.
- Added a new
workflow_runworkflow that downloads the payload artifact and posts/updates the PR comment.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/test-throughput.yaml | Removes direct PR commenting and uploads the comment payload as an artifact; adjusts job permissions. |
| .github/workflows/test-throughput-comment.yaml | New workflow_run workflow to download the artifact payload and post the PR comment in base-repo context. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
82
to
85
| runs-on: ubuntu-latest | ||
| permissions: write-all | ||
| permissions: | ||
| contents: read | ||
| needs: test |
Comment on lines
+24
to
+26
| permissions: | ||
| pull-requests: write | ||
| steps: |
Comment on lines
+22
to
+23
| # Only act on runs that were triggered by a pull request. | ||
| if: github.event.workflow_run.event == 'pull_request' |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Throughput comments were failing (
403 Resource not accessible by integration) on PRs opened from forks. GitHub forces theGITHUB_TOKENto be read-only in that case, so the action can't post comments. The comment-posting job is now moved to a separateworkflow_run-triggered workflow, which runs in the base-repo context and therefore gets a writable token, even for forks. The test job (which runs the PR's code) stays read-only and passes the results through an artifact—no secrets are exposed to fork code.