fix(ci): go-benchmark GH permissions#4193
Conversation
|
@gregfurman is attempting to deploy a commit to the Hatchet Team on Vercel. A member of the Team first needs to authorize it. |
BloggerBust
left a comment
There was a problem hiding this comment.
Hey @gregfurman I have reviewed and would like to suggest a couple of approaches.
The failing run (#4189) is from a fork, which is the cause here. On a fork PR, GITHUB_TOKEN is read-only regardless of the permissions: block, so issues.createComment returns 403. The job already has pull-requests: write, and has since the workflow was added, and actions/github-script already uses the workflow token by default. So github-token: ${{ secrets.GITHUB_TOKEN }} passes the same read-only token and changes nothing.
Options to handle fork PRs:
- Guard the comment step so a fork does not fail the job. Skip it when
github.event.pull_request.head.repo.full_name != github.repository, or setcontinue-on-error: true. Smallest change, but fork PRs get no benchmark comment. - Split the work. Run the benchmark on
pull_request(read-only) and upload the result as an artifact, then post the comment from aworkflow_runworkflow, which runs in the base repo context with a write token. Fork PRs get the comment, and no fork code runs with write access.
|
@BloggerBust Thanks for reviewing! The workflow run approach seems best but feels like overkill considering we have only now run into this issue. Perhaps worth considering whether we actually need comments or whether the benchmarks changing by some factor should actually just fail the job -- with the full table being printed as ASCII in the job's console output. |
|
I'll close this in any case since this is not actually fixing anything 🤦 |
Description
The go benchmark job does not pass in a required GH token, causing the PR commenting step to always fail with a 403.
See example CI failure :
Type of change
What's Changed
Checklist
Changes have been:
🤖 AI Disclosure