Skip to content

ci: skip docs preview deploy for PRs from forks#791

Open
andreahlert wants to merge 1 commit into
apache:mainfrom
andreahlert:fix/docs-workflow-fork-skip
Open

ci: skip docs preview deploy for PRs from forks#791
andreahlert wants to merge 1 commit into
apache:mainfrom
andreahlert:fix/docs-workflow-fork-skip

Conversation

@andreahlert
Copy link
Copy Markdown
Collaborator

@andreahlert andreahlert commented May 28, 2026

Summary

The docs job in .github/workflows/docs.yml fails on every PR opened from a fork with the annotation:

Resource not accessible by integration

Root cause: for PRs from forks, GitHub provides a read-only GITHUB_TOKEN regardless of the permissions: block declared in the workflow. The peaceiris/actions-gh-pages step that publishes the preview to the gh-pages branch therefore fails, and the comment-progress steps also fail to write PR comments.

This blocks merging contributor PRs (e.g. #623) because docs is a required status check — the only path forward today is admin override.

Changes

Gate the three steps that need write access on PRs from the upstream repo only:

  • Comment on PR
  • Build PR preview website
  • Update comment

New if condition:

github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository

Behaviour after change

  • Push to main: unchanged — only Deploy to GitHub Pages runs.
  • PR from a branch in apache/burr: unchanged — preview is built and deployed, comments posted.
  • PR from a fork: Sphinx build still validates docs; the three deploy/comment steps are skipped; job ends successfully.

How I tested this

  • Verified the failure mode on #623 (annotation points at the peaceiris/actions-gh-pages step at line 67).
  • Confirmed via gh api that recent docs runs on fork PRs are startup_failure/failure while runs on main succeed.
  • Manually traced each if: expression: for push to main, github.event_name == 'pull_request' evaluates false, leaving the existing Deploy to GitHub Pages step (gated on push to main) as the only active deploy step.

Notes

This only restores the previous level of preview coverage for in-repo PRs; it does not attempt to enable previews for forks (that would require pull_request_target and a careful audit of the checkout/build steps to avoid running untrusted PR code with elevated permissions).

Checklist

  • PR has an informative and human-readable title
  • Changes are limited to a single goal
  • Code passed the pre-commit check
  • Any change in functionality is tested
  • New functions are documented
  • Placeholder code is flagged
  • Project documentation has been updated if adding/changing functionality

@andreahlert
ci: skip docs preview deploy steps for PRs from forks
5e8b884 
Forks cannot push to gh-pages because PR-from-fork GITHUB_TOKEN is
read-only regardless of declared workflow permissions, causing the
docs job to fail with "Resource not accessible by integration" on
every fork PR.

Gate the three steps that need write access (Comment on PR, Build PR
preview website, Update comment) on PRs originating from this
repository so the docs job still validates the Sphinx build for fork
PRs without attempting the preview deploy.
@github-actions github-actions Bot added the area/ci Workflows, build, release scripts label May 28, 2026
@andreahlert andreahlert self-assigned this May 28, 2026
@andreahlert andreahlert requested a review from skrawcz May 28, 2026 07:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skrawcz skrawcz Awaiting requested review from skrawcz

At least 1 approving review is required to merge this pull request.

Assignees

@andreahlert andreahlert

Labels

area/ci Workflows, build, release scripts

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@andreahlert