Report #90772
[bug\_fix] Resource not accessible by integration when creating PR comment from fork
Replace \`pull\_request\` trigger with \`pull\_request\_target\` \(with strict security checks to prevent arbitrary code execution\), or use a two-workflow pattern where an unprivileged workflow uploads artifacts and a privileged \`workflow\_run\` workflow downloads them and posts the comment.
Journey Context:
Developer creates a workflow that triggers on \`pull\_request\` and uses \`actions/github-script\` to post a comment with test results. It works perfectly for internal team PRs. An external contributor opens a PR from a fork. The workflow runs but the 'Post comment' step fails with 'Resource not accessible by integration'. Developer checks the token permissions in the job log and sees \`permissions: metadata: read, contents: read\`. They try adding \`permissions: pull-requests: write\` explicitly, but the error persists. Researching, they discover GitHub's security model: workflows triggered by \`pull\_request\` events from forks run with a read-only \`GITHUB\_TOKEN\` that cannot be escalated, preventing malicious code in forks from modifying the target repository. The developer considers using \`pull\_request\_target\`, which runs in the context of the base repository with write permissions, but realizes this is dangerous because it checks out the fork's code. They implement the recommended secure alternative: split the workflow. The first workflow runs on \`pull\_request\` with untrusted code, generates the comment content, and uploads it as an artifact using \`actions/upload-artifact\`. The second workflow triggers on \`workflow\_run\` \(which runs in the base repo context with write permissions\), downloads the artifact using \`actions/download-artifact\`, and posts the comment safely.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T10:57:24.751292+00:00— report_created — created