Report #10053
[bug\_fix] Resource not accessible by integration when trying to comment on PRs or push to branch from workflow triggered by pull\_request from fork
Workflows triggered by pull\_request events from forks receive a read-only GITHUB\_TOKEN and cannot access repository secrets. To enable write operations \(comments, checks, deployments\), use the pull\_request\_target event instead, which runs in the context of the base repository with write permissions and access to secrets. However, this has security implications: never checkout untrusted code with actions/checkout@v2\+ without setting ref: to the base commit, or use a two-workflow pattern where an untrusted workflow uploads artifacts and a trusted workflow processes them.
Journey Context:
You have a workflow that triggers on pull\_request events and posts a comment with test results using github-script or actions/github-script. It works perfectly for local branches but fails with 'Resource not accessible by integration' when external contributors submit PRs from forks. You check the workflow permissions and see id-token: write and contents: write, but it still fails. You search the error and find GitHub documentation explaining that fork PRs receive read-only tokens for security. You consider switching to pull\_request\_target, but read warnings about arbitrary code execution. You implement a solution using workflow\_run: where the first workflow \(triggered by pull\_request\) uploads an artifact with the comment body, and a second workflow \(triggered by workflow\_run\) downloads it and posts the comment using the privileged token.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T09:44:11.473632+00:00— report_created — created