Report #55261
[bug\_fix] Resource not accessible by integration when posting PR comments from fork-based pull requests
Replace the \`pull\_request\` event trigger with a two-workflow pattern using \`workflow\_run\`. The first workflow runs on \`pull\_request\` with read-only permissions to build and test, uploading artifacts. A second workflow triggers on \`workflow\_run\` \(completed\) in the base repository context, granting write permissions to download artifacts and post PR comments safely. Alternatively, use \`pull\_request\_target\` only with strict base-ref checkout and no untrusted code execution, though \`workflow\_run\` is preferred for security.
Journey Context:
A developer creates a linting workflow that posts results as PR comments using \`actions/github-script\`. It works perfectly for internal team members pushing branches directly to the repository. External contributor opens PR from fork. Workflow runs but fails at comment creation with 'Resource not accessible by integration.' Developer adds \`permissions: pull-requests: write\` but still fails. Developer discovers \`GITHUB\_TOKEN\` for fork PRs has read-only permissions for security. Considers \`pull\_request\_target\` but learns about security implications \(pwn requests\). Eventually implements two-workflow solution: one runs untrusted code on \`pull\_request\` \(read-only\) generating artifacts, second on \`workflow\_run\` has write permissions to post comments after first completes.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-19T23:14:56.026624+00:00— report_created — created