Post issue-bot PR comment from a workflow_run workflow#5728
Open
ondrejmirtes wants to merge 1 commit into
Open
Post issue-bot PR comment from a workflow_run workflow#5728ondrejmirtes wants to merge 1 commit into
ondrejmirtes wants to merge 1 commit into
Conversation
The "Issue bot" workflow runs on the pull_request event, whose GITHUB_TOKEN is read-only and secret-less for PRs from forks — so its comment-posting step got a 403 "Resource not accessible by integration" on fork PRs. Move all PR-comment posting into a new issue-bot-pr-comment.yml triggered by workflow_run, which runs in the base-repo context with a writable token and secrets, so it can comment on fork PRs too. It only consumes the pr-comment artifact (body + exit-code marker) produced by the analysis run; it never checks out or runs PR code, and it resolves the PR number from the trusted head SHA (workflow_run.pull_requests is empty for forks). Posting uses PHPSTAN_BOT_TOKEN so the comment comes from the bot account. issue-bot.yml no longer needs pull-requests: write; the pr-comment-init and pr-comment-finalize jobs are removed and the exit code now travels in the artifact as a marker file. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the issue-bot PR comment failing on fork PRs with
403 Resource not accessible by integration(e.g. this run).Root cause: the "Issue bot" workflow runs on the
pull_requestevent, and for PRs from forks GitHub forcesGITHUB_TOKENto read-only and withholds secrets — regardless ofpermissions:— so the comment POST is rejected.This implements the
workflow_runpattern:.github/workflows/issue-bot-pr-comment.ymltriggered byworkflow_runon completion of "Issue bot". It runs in the base-repo context (writable token + secrets available), so it can comment on fork PRs. It only consumes thepr-commentartifact (comment body + exit-code marker); it never checks out or runs PR code, and resolves the PR number from the trustedworkflow_run.head_sha(workflow_run.pull_requestsis empty for forks). Posts withPHPSTAN_BOT_TOKENso the comment comes from the bot account.issue-bot.yml: removed thepr-comment-initandpr-comment-finalizejobs and theirpull-requests: writegrants. Theevaluatejob still produces thepr-commentartifact; the exit code now travels inside it as a marker file (pr-comment-exit-0/-2) instead of a job output.--post-commentsto2.2.x) is unchanged.Validated locally with
actionlintandzizmor --persona=auditor(theworkflow_rundangerous-triggersfinding is suppressed with an inline ignore, justified by the no-checkout / trusted-SHA design).Notes / decisions
permissions: contents: readat the top ofissue-bot.yml(it's a read-only hardening default, not a comment-related grant, and removing it would surface security-linter alerts). Removed only thepull-requests: writegrants. Say the word if you'd rather drop it entirely.workflow_run(completed), the comment is posted once, when analysis finishes. It can be re-added via aworkflow_run: [requested]trigger if you want it back.Test plan
2.2.x→ per-issue comments still posted viaPHPSTAN_BOT_TOKEN.🤖 Generated with Claude Code