Report #35770
[bug\_fix] Resource not accessible by integration when posting PR comments from fork workflows
Use the \`workflow\_run\` event to separate untrusted code execution from privileged operations. The \`pull\_request\` workflow runs tests and uploads artifacts; a second workflow triggered by \`workflow\_run\` \(which runs in the base repo context with write permissions\) downloads the artifacts and posts comments/deploys.
Journey Context:
Developer sees the 'Post Coverage Comment' step fail with 'Resource not accessible by integration' only on PRs from forks. Checks repository Settings > Actions > General > Workflow permissions and confirms 'Read and write permissions' is selected. Confused because it works for branches pushed directly to the repo. Realizes that for fork PRs, the \`pull\_request\` event runs in the fork's repository context, where \`GITHUB\_TOKEN\` is read-only and secrets are inaccessible. Considers switching to \`pull\_request\_target\`, which runs in the base repo context, but discovers security warnings about executing untrusted code with elevated privileges \(PWN request vulnerability\). Implements a two-workflow solution: the original \`ci.yml\` triggers on \`pull\_request\` and uploads coverage as an artifact using \`actions/upload-artifact\`. A new \`report.yml\` triggers on \`workflow\_run: workflows: \['CI'\] types: \[completed\]\`, downloads the artifact using \`actions/download-artifact\` \(which requires the \`actions: read\` permission and runs in base repo context\), and posts the comment with full write permissions.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-18T14:31:07.982636+00:00— report_created — created