diff --git a/.github/workflows/check_images.yaml b/.github/workflows/check_images.yaml index 011f2223523..1b9b88101e7 100644 --- a/.github/workflows/check_images.yaml +++ b/.github/workflows/check_images.yaml @@ -46,7 +46,9 @@ jobs: run: | python scripts/webp_conversion/check_images_in_pr.py + # Same-repo PRs: the token can write, so post/update the result as a PR comment. - name: Find Comment + if: github.event.pull_request.head.repo.full_name == github.repository uses: peter-evans/find-comment@v4 id: fc with: @@ -55,9 +57,26 @@ jobs: body-includes: mage files/references - name: Create or update comment + if: github.event.pull_request.head.repo.full_name == github.repository uses: peter-evans/create-or-update-comment@v5 with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} body: ${{ steps.image_check.outputs.comment }} edit-mode: replace + + # Fork PRs: the GITHUB_TOKEN is read-only, so a PR comment would 403. + # Surface the same result as a job-summary report in the workflow run instead. + - name: Image check report (fork PR) + if: github.event.pull_request.head.repo.full_name != github.repository + env: + REPORT: ${{ steps.image_check.outputs.comment }} + run: | + { + echo "## 🖼️ Image check report" + echo "" + echo "> This PR is from a fork, so the workflow cannot post a PR comment" + echo "> (fork runs receive a read-only token). The result is shown below." + echo "" + echo "$REPORT" + } >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/spell-check.yaml b/.github/workflows/spell-check.yaml index 3e0d519ddfb..2dd1ff6e611 100644 --- a/.github/workflows/spell-check.yaml +++ b/.github/workflows/spell-check.yaml @@ -64,8 +64,9 @@ jobs: run: | python scripts/spell_check/check_spelling.py + # Same-repo PRs: the token can write, so post/update the result as a PR comment. - name: Find Comment - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository uses: peter-evans/find-comment@v4 id: fc with: @@ -74,10 +75,26 @@ jobs: body-includes: Spell Check - name: Create or update comment - if: github.event_name == 'pull_request' + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository uses: peter-evans/create-or-update-comment@v5 with: comment-id: ${{ steps.fc.outputs.comment-id }} issue-number: ${{ github.event.pull_request.number }} body: ${{ steps.spell_check.outputs.comment }} edit-mode: replace + + # Fork PRs: the GITHUB_TOKEN is read-only, so a PR comment would 403. + # Surface the same result as a job-summary report in the workflow run instead. + - name: Spell check report (fork PR) + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository + env: + REPORT: ${{ steps.spell_check.outputs.comment }} + run: | + { + echo "## 📝 Spell check report" + echo "" + echo "> This PR is from a fork, so the workflow cannot post a PR comment" + echo "> (fork runs receive a read-only token). The result is shown below." + echo "" + echo "$REPORT" + } >> "$GITHUB_STEP_SUMMARY" diff --git a/.github/workflows/staging-aggregate.yaml b/.github/workflows/staging-aggregate.yaml index 810e6b7c4b0..f4a817d08b5 100644 --- a/.github/workflows/staging-aggregate.yaml +++ b/.github/workflows/staging-aggregate.yaml @@ -6,6 +6,14 @@ name: Staging Aggregate Deployment # Purpose: Aggregates and deploys staging changes to production # Triggers: PRs to main, monthly schedule, or manual dispatch # Features: Multi-PR aggregation, staging deployment, and force deploy option +# +# Fork PRs: GitHub does not pass repository secrets to runs triggered from a +# fork, so a fork PR cannot auto-deploy to staging (its run fails fast with a +# note instead of a cryptic token error). To preview a fork PR on staging, a +# maintainer runs this workflow manually (Actions -> Run workflow) from `main` +# and sets `single_pr` to the PR number. The run resolves the fork from the PR +# number and fetches it over its public URL, so there is no need to pick the +# fork branch in the dropdown. on: pull_request: @@ -57,6 +65,30 @@ jobs: total-prs: ${{ steps.aggregate.outputs.total_prs }} has-prs: ${{ steps.aggregate.outputs.has_prs }} steps: + # Fork PRs can't receive secrets, so the checkout/gh steps below would fail + # with a cryptic "Input required and not supplied: token". Fail fast with a + # clear note pointing maintainers at the manual single_pr dispatch instead. + - name: Fork PR — staging not auto-deployed + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository + run: | + PR_NUM="${{ github.event.pull_request.number }}" + { + echo "## ⏭️ Fork PR — staging not auto-deployed" + echo "" + echo "GitHub does not pass repository secrets to runs triggered from a fork," + echo "so this workflow cannot auto-deploy a fork PR to staging." + echo "" + echo "**To preview this PR on staging**, a maintainer runs the *Staging Aggregate" + echo "Deployment* workflow manually (Actions → Run workflow) from \`main\` and sets:" + echo "" + echo " single_pr = ${PR_NUM}" + echo "" + echo "The run pulls this fork in by PR number over its public URL — no need to" + echo "select the fork branch in the dropdown." + } >> "$GITHUB_STEP_SUMMARY" + echo "::error::Fork PR #${PR_NUM} not auto-deployed. Maintainer: run this workflow manually with single_pr=${PR_NUM} to preview it on staging." + exit 1 + - name: Checkout repository uses: actions/checkout@v6 with: