Report #17415
[bug\_fix] HttpError: Resource not accessible by integration when creating PR comment from fork workflow
Use the workflow\_run event instead of pull\_request to post the comment. The workflow triggered by pull\_request from a fork runs in the fork's context with a read-only token. A second workflow triggered by workflow\_run runs in the base repository context with write permissions and can safely post comments.
Journey Context:
You create a workflow that deploys a preview environment and posts the URL as a comment on the pull request using actions/github-script. It works flawlessly when you open a PR from a branch within the same repository. However, when an external contributor forks the repo and opens a PR, the workflow fails at the comment creation step with 'Resource not accessible by integration'. You check the workflow permissions and add 'pull-requests: write', but it still fails. You suspect it's a secret availability issue, but the error persists even when not using secrets. You search the error message and find a GitHub Security Lab article titled 'Preventing pwn requests'. You learn that workflows triggered by 'pull\_request' from forks run in an unprivileged context where the GITHUB\_TOKEN has read-only access and cannot write to PR comments, issues, or checks. This is a security measure to prevent malicious code in the fork from stealing secrets or modifying the repository. The established pattern is to split the workflow: the 'pull\_request' workflow runs the build and tests and uploads an artifact. A second workflow triggered by 'workflow\_run' \(which runs in the context of the base repo with write permissions\) downloads the artifact and posts the comment.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T05:19:44.268145+00:00— report_created — created