ci: make PR checks fork-friendly#797
Open
LukasWallrich wants to merge 1 commit into
Open
Conversation
Fork pull_request runs get a read-only GITHUB_TOKEN and no repo secrets, so steps that post PR comments or use the staging PAT fail (403/empty token) on every fork PR. Handle forks explicitly: - check_images / spell-check: keep posting the PR comment for same-repo PRs, but on fork PRs write the same report to the job summary instead of 403ing on the comment write. - staging-aggregate: fail fast on fork PRs with a clear note pointing maintainers at the manual single_pr workflow_dispatch, replacing the cryptic "Input required and not supplied: token" checkout error. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
|
👍 All image files/references (if any) are in webp format, in line with our policy. |
Contributor
✅ Spell Check PassedNo spelling issues found when checking 3 changed file(s)! 🎉 |
Contributor
Author
|
✅ Staging Deployment Status This PR has been successfully deployed to staging as part of an aggregated deployment. Deployed at: 2026-06-10 18:17:21 UTC The staging site shows the combined state of all compatible open PRs. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Fork
pull_requestruns receive a read-onlyGITHUB_TOKENand no repository secrets. Several PR-check workflows assume write access, so they fail on every fork contributor's PR:check_images/spell-check→ the "Create or update comment" step fails with403 Resource not accessible by integration(the image/spell check itself runs fine; only posting the comment fails).staging-aggregate→ checkout fails with the crypticInput required and not supplied: tokenbecausesecrets.STAGING_GITHUB_TOKENresolves to empty.(Separately observed during debugging: a one-off
401 Requires authenticationon an internal PR was transient GitHub auth flakiness — token had write perms — and is not addressed here.)What changed
check_images.yaml/spell-check.yaml$GITHUB_STEP_SUMMARY) instead of 403ing on the comment. Report is passed via anenv:var to avoid shell quoting/injection on the multiline body.staging-aggregate.yaml::error::+ job-summary note explaining that secrets aren't available to fork runs, and pointing maintainers at the manual path: run the workflow frommainwithsingle_pr=<PR#>(the fork is resolved by PR number over its public URL — no need to select the fork branch). Replaces the cryptic token error and stopsbuild/deploy-stagingfrom running.Notes
github.event.pull_request.head.repo.full_name != github.repository.link-check.yamlalso posts comments but only triggers onschedule/workflow_dispatch(never fork PRs), so it needs no change.🤖 Generated with Claude Code