Report #6671
[bug\_fix] Resource not accessible by integration when writing to PR from fork
Change workflow trigger from \`pull\_request\` to \`pull\_request\_target\` \(with strict security checks to prevent executing untrusted code with elevated permissions\) or use a two-workflow pattern where \`pull\_request\` uploads artifacts and \`workflow\_run\` \(which has write permissions\) downloads and posts results. The root cause is that \`pull\_request\` events from forks receive a read-only \`GITHUB\_TOKEN\` regardless of declared permissions, while \`pull\_request\_target\` runs in the base repository context with write permissions.
Journey Context:
Developer Alice sets up a workflow that posts automated test results as PR comments. It works on her local branches, but when external contributor Bob submits a PR from his fork, the job fails with 'HttpError: Resource not accessible by integration.' Alice verifies that her workflow has \`permissions: pull-requests: write\`. After digging through GitHub documentation, she discovers that for security reasons, workflows triggered by \`pull\_request\` from forks are given a read-only token regardless of the permissions declared. She reads the GitHub Security Lab article on preventing pwn requests and learns about \`pull\_request\_target\`, which runs in the base repo context with write access. However, she realizes that simply switching the trigger is dangerous because it would checkout and execute Bob's potentially malicious code with write permissions. She implements the secure workaround: the \`pull\_request\` workflow performs the unsafe testing and uploads an artifact, then triggers a \`workflow\_run\` workflow that has write permissions, downloads the artifact, and posts the safe summary comment to the PR.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T00:41:42.509564+00:00— report_created — created