fix: pull_request_target should not skip fork PR comments

The is_fork_pr() guard only applies to pull_request events where
GITHUB_TOKEN is read-only. With pull_request_target, the token
always has the workflow's configured permissions.

- Add is_fork_pr_with_readonly_token() that checks both
  is_fork_pr() and GITHUB_EVENT_NAME
- Update add_pr_comments() to use the new guard
- Add unit tests for the new helper
- Update README Option 2 to confirm pr-comments works with
  pull_request_target

Author: shenxianpeng

README.md

@@ -310,6 +310,10 @@ jobs:
           pr-comments: true
 ```
 
+> ✅ With `pull_request_target`, `pr-comments: true` **does work** on fork PRs —
+> the token has the workflow's configured permissions regardless of whether the PR
+> is from a fork.
+>
 > **When to use this:** Only if the two-workflow pattern is too complex for your setup
 > and you have thoroughly reviewed the security implications.
 

main.py

@@ -263,14 +263,25 @@ def is_fork_pr() -> bool:
         return False
 
 
+def is_fork_pr_with_readonly_token() -> bool:
+    """Returns True when the PR is from a fork AND the event has a read-only token.
+
+    Under the pull_request event, GITHUB_TOKEN is read-only for fork PRs.
+    Under pull_request_target, GITHUB_TOKEN has the workflow's configured
+    permissions regardless of whether the PR is from a fork.
+    """
+    return is_fork_pr() and os.getenv("GITHUB_EVENT_NAME", "") != "pull_request_target"
+
+
 def add_pr_comments() -> int:
     """Posts the commit check result as a comment on the pull request."""
     if not PR_COMMENTS_ENABLED:
         return 0
 
     # Fork PRs triggered by the pull_request event receive a read-only token;
     # the GitHub API will always reject comment writes with 403.
-    if is_fork_pr():
+    # pull_request_target events always have the configured token permissions.
+    if is_fork_pr_with_readonly_token():
         msg = (
             "Skipping PR comment: pull requests from forked repositories "
             "cannot write comments via the pull_request event (GITHUB_TOKEN is "

main_test.py

@@ -516,6 +516,30 @@ def test_fork_pr_writes_job_summary_hint(self):
         self.assertIn("fork-pr-comments", content)
 
 
+class TestIsForkPrWithReadonlyToken(unittest.TestCase):
+    def test_fork_pr_with_pull_request_event(self):
+        with (
+            patch("main.is_fork_pr", return_value=True),
+            patch.dict(os.environ, {"GITHUB_EVENT_NAME": "pull_request"}),
+        ):
+            self.assertTrue(main.is_fork_pr_with_readonly_token())
+
+    def test_fork_pr_with_pull_request_target_event(self):
+        """pull_request_target has write token — not considered read-only."""
+        with (
+            patch("main.is_fork_pr", return_value=True),
+            patch.dict(os.environ, {"GITHUB_EVENT_NAME": "pull_request_target"}),
+        ):
+            self.assertFalse(main.is_fork_pr_with_readonly_token())
+
+    def test_same_repo_not_fork(self):
+        with (
+            patch("main.is_fork_pr", return_value=False),
+            patch.dict(os.environ, {"GITHUB_EVENT_NAME": "pull_request"}),
+        ):
+            self.assertFalse(main.is_fork_pr_with_readonly_token())
+
+
 class TestIsForkPr(unittest.TestCase):
     def test_no_event_path(self):
         with patch.dict(os.environ, {}, clear=True):