Report #80333
[bug\_fix] Resource not accessible by integration \(403\) when posting PR comments or pushing to registry from workflows triggered by fork pull requests
Add explicit permissions \(e.g., \`permissions: pull-requests: write\`\) in the workflow YAML, but for fork PRs use a two-workflow pattern: the untrusted \`pull\_request\` workflow runs tests and uploads artifacts without secrets, while a trusted \`workflow\_run\` workflow \(which runs in the base repo context with write permissions\) downloads the artifacts and posts comments or pushes images.
Journey Context:
A developer configures a workflow to run tests on pull requests and post a comment with the results using \`gh pr comment\`. It works perfectly for branches within the same repository. However, when an external contributor opens a PR from a fork, the workflow fails with a 403 "Resource not accessible by integration" error. The developer checks repository settings and confirms that "Read and write permissions" is selected for the GITHUB\_TOKEN, and adds \`permissions: pull-requests: write\` to the YAML, but the error persists. After deep diving into GitHub's security documentation, they realize that workflows triggered by \`pull\_request\` events from forks run with a read-only token and cannot access repository secrets or write to the API, regardless of the permissions setting in the YAML. This is a security measure to prevent credential theft from malicious fork PRs. The solution is to split the workflow: the untrusted \`pull\_request\` workflow runs the tests and uploads the results as an artifact, while a second workflow triggered by \`workflow\_run\` \(which runs in the base repo context with write permissions\) downloads the artifact and posts the comment to the PR.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-21T17:26:48.346083+00:00— report_created — created