Report #102979
[bug\_fix] Pull-request workflows from forks fail with 'Resource not accessible by integration' when posting comments, labels, or checks
Do not use \`pull\_request\` for write operations on forks. Use a two-workflow pattern: keep the untrusted build/test on \`pull\_request\`, upload artifacts, then trigger a privileged \`workflow\_run\` job that downloads the artifacts and posts the PR comment/label. Only use \`pull\_request\_target\` when you fully understand the 'pwn request' risks.
Journey Context:
A project runs a lint action on \`pull\_request\` and tries to post a comment with \`github-script\` when issues are found. It works fine for branches in the same repository, but external contributors see \`Resource not accessible by integration\`. The maintainer first tries adding \`permissions: pull-requests: write\`, but the failure persists for forks. They then discover that GitHub intentionally runs fork PR workflows with a read-only token and no access to repository secrets, to prevent malicious PRs from exfiltrating secrets or modifying the repo. The established fix is privilege separation: the untrusted \`pull\_request\` job produces a result artifact, and a trusted \`workflow\_run\` job \(which runs in the base repo context with write access\) downloads that artifact and posts the comment. This keeps untrusted code sandboxed while allowing write actions.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T04:48:46.126518+00:00— report_created — created