Skip to content

Fix contribution message workflow permission issue on PR from fork#224

Merged
woojiahao merged 3 commits into
git-mastery:mainfrom
jovnc:fix/ci-message
Jan 11, 2026
Merged

Fix contribution message workflow permission issue on PR from fork#224
woojiahao merged 3 commits into
git-mastery:mainfrom
jovnc:fix/ci-message

Conversation

@jovnc
Copy link
Copy Markdown
Collaborator

@jovnc jovnc commented Jan 8, 2026
edited
Loading

Problem:

  • pull_request trigger type is forced for PRs that come from forks to only have read permission for all scopes regardless of what we set explicitly in the workflow -> results in permission issue in contribution comment

Source: https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflows-in-forked-repositories

Proposed solution:

  • Use pull_request_target with restricted scope for GITHUB_TOKEN
  • Checkout to base repository default branch instead of the HEAD of the forked repository for security reasons (ensures we only run safe and trusted code in the main branch)

Source: https://www.linkedin.com/pulse/how-access-secrets-running-tests-forked-pull-requests-kylee-fields-7vcne/

Note: this change will only take effect for PRs that appear AFTER this PR is merged.

Alternative solution:

woojiahao
woojiahao requested changes Jan 9, 2026
View reviewed changes
Comment thread .github/workflows/contribution-message.yml Outdated
Comment on lines +14 to +15
- name: Checkout repository # Checks out to base repository default branch (for pull_request_target trigger)
uses: actions/checkout@v6 # DO NOT CHECKOUT TO HEAD UNSAFE (will checkout to head of the fork)
Copy link
Copy Markdown
Member

@woojiahao woojiahao Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the purpose of these comments if there's no changes to the behavior? I would remove them since they don't really add anything. If you want to add a comment to not checkout to HEAD, add it as a line above the - name

Copy link
Copy Markdown
Collaborator Author

@jovnc jovnc Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@woojiahao There is a difference in behaviour if we are using pull_request_target vs. pull_request trigger.

pull_request checks out to the forks repo (since it is run in safer environment)
pull_request_target checks out to the base repo (that's why the updated gh action can only run after we merge this into main)

I'm adding this here as additional documentation why I made this change, but I can add it above -name

Copy link
Copy Markdown
Member

@woojiahao woojiahao Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh no I get the difference between the triggers, I was just wondering why new comments were added

@jovnc jovnc requested a review from woojiahao January 9, 2026 13:54
woojiahao
woojiahao previously approved these changes Jan 11, 2026
View reviewed changes
@woojiahao woojiahao dismissed their stale review January 11, 2026 23:50

Checking again

woojiahao
woojiahao approved these changes Jan 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@woojiahao woojiahao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified against the documentation. The values of the fields should not change

@woojiahao woojiahao merged commit e592877 into git-mastery:main Jan 11, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@woojiahao woojiahao woojiahao approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jovnc @woojiahao