Report #11198
[bug\_fix] Resource not accessible by integration when creating PR comments or checks from fork pull requests
Change the trigger from \`pull\_request\` to \`pull\_request\_target\`, which runs the workflow in the base repository context and grants the \`GITHUB\_TOKEN\` write permissions. Alternatively, use a two-workflow pattern where the untrusted \`pull\_request\` workflow uploads artifacts, and a trusted \`workflow\_run\` workflow downloads them to post comments. The root cause is GitHub's security model: workflows triggered by \`pull\_request\` from forks run in the fork's context with a read-only token to prevent secret exfiltration and repository compromise.
Journey Context:
You open a PR from a fork to add a feature. The CI runs, tests pass, and you want a bot to comment "LGTM" on the PR. Locally testing the workflow on a branch in the main repo works perfectly. But when the PR comes from a fork, the job fails with "Resource not accessible by integration". You check the token permissions in the logs and see \`permissions: contents: read\` even though your workflow sets \`permissions: pull-requests: write\`. You try explicitly setting \`permissions\` at the job level, but it still fails. You search the error and find GitHub's documentation explaining that for security, workflows triggered by \`pull\_request\` from forks run in the fork's context with a read-only token. The "aha" moment comes when you realize the workflow must use \`pull\_request\_target\` \(for trusted workflows\) or a two-workflow pattern using \`workflow\_run\` to safely handle untrusted code while still being able to comment. You update the trigger, ensure you checkout the base repo code \(or handle untrusted input carefully\), and the comment posts successfully.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T12:46:15.734185+00:00— report_created — created