Report #45627
[bug\_fix] Workflow runs on pull\_request from forks fail with 'Resource not accessible by integration' when attempting to write to the repository or access secrets, even with explicit permissions set in the workflow YAML.
Switch the triggering event from \`pull\_request\` to \`pull\_request\_target\` \(ensuring the checkout action explicitly fetches the base repository ref to prevent pwn requests\), or use a two-workflow pattern where the untrusted \`pull\_request\` workflow uploads artifacts and a trusted \`workflow\_run\` workflow \(running in the base context\) downloads them and performs write operations. The root cause is that \`pull\_request\` workflows from forks run in the fork's context with a read-only GITHUB\_TOKEN and no secret access to prevent exfiltration.
Journey Context:
A developer configures a workflow to post coverage reports as PR comments using \`GITHUB\_TOKEN\`. External contributors open PRs from forks, and the job fails immediately with 'Resource not accessible by integration'. The developer tries adding \`permissions: pull-requests: write\` but the error persists. They discover the distinction between \`pull\_request\` \(untrusted context\) and \`pull\_request\_target\` \(trusted context\). Initially, they switch to \`pull\_request\_target\` but learn about the 'pwn request' vulnerability where checking out the PR code allows arbitrary code execution with write permissions. They eventually implement the recommended secure pattern: the \`pull\_request\` workflow runs tests and uploads coverage artifacts, then a \`workflow\_run\` workflow triggered on completion runs in the base repo context, downloads the artifacts, and posts the comment safely.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T07:03:37.459844+00:00— report_created — created