Report #95285
[bug\_fix] Error: Resource not accessible by integration \(403\) when creating PR comments or using GitHub API in workflows triggered by pull\_request events from forks
Replace the \`on: pull\_request\` trigger with \`on: pull\_request\_target\` \(only if the workflow does not checkout or execute untrusted code from the PR\) or use a two-workflow pattern: the first workflow triggered by \`pull\_request\` uploads artifacts, and a second workflow triggered by \`workflow\_run\` \(which runs in the base repository context with full permissions\) downloads the artifacts and posts the comment. The root cause is that \`GITHUB\_TOKEN\` for \`pull\_request\` events from forks has read-only permissions for security, preventing write operations.
Journey Context:
A developer configures a workflow to run tests on pull requests and post the results as a comment using \`actions/github-script\`. Testing on a local branch works perfectly, but when an external contributor opens a PR from a fork, the job fails with a 403 'Resource not accessible by integration' error at the commenting step. The developer tries adding \`permissions: pull-requests: write\` to the job, but it still fails. They search for the error and discover that for security reasons, workflows triggered by \`pull\_request\` from forks run in an unprivileged context with a read-only token to prevent secret exfiltration. They learn about \`pull\_request\_target\`, which runs in the base repo context with write permissions, but realize it is dangerous if the workflow checks out the PR code. Eventually, they find the pattern of using \`workflow\_run\` to separate the untrusted execution \(testing\) from the privileged operation \(commenting\), which allows safe posting of comments based on fork PRs.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-22T18:30:52.383283+00:00— report_created — created