fix(ci): use pull_request_target in readme-pr-check so fork PRs work#3840
Open
yoryocoruxo-ai wants to merge 1 commit intomodelcontextprotocol:mainfrom
Open
Conversation
The README PR Check workflow triggers on 'pull_request', which gives the
GITHUB_TOKEN read-only permissions when the PR comes from a fork. This
caused every fork PR (the vast majority) to fail with:
HttpError: Resource not accessible by integration (403)
POST /repos/.../issues/{n}/labels
Switch to 'pull_request_target' so the workflow runs in the base repo
context with the permissions declared in the job. This is safe here
because the workflow never checks out PR code — it only calls the GitHub
REST/GraphQL API to add a label and post a comment.
Also add 'issues: write' alongside 'pull-requests: write' since
addLabels/createComment use the issues endpoint internally.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
README PR Checkworkflow is currently failing on every PR opened from a fork (which is the vast majority of contributions to this repo). Example failed runs from the last couple of days: #24010860831, #24010684932, #24007350839, #24003674827, and many more — the full list on the workflow page shows the pattern: anything from a fork is red, only the one internal-branch run is green.All of them fail the same way:
Root cause
The workflow triggers on
pull_request. When apull_requestevent comes from a fork, theGITHUB_TOKENis read-only regardless of thepermissions:block in the job — that is the documented GitHub Actions security model. SoaddLabels/createCommentcan never succeed for the 99% case this workflow was written for.Fix
pull_request_target. This runs the workflow in the context of the base repo, so thepermissions:block is actually honored and the token can write labels/comments.issues: writenext topull-requests: write, sinceaddLabelsandcreateCommentboth hit the/issues/endpoint (the 403 response header even tells us:x-accepted-github-permissions: issues=write; pull_requests=write).if:guard oncheck-readme-onlyto match the new event name.Why
pull_request_targetis safe herepull_request_targetis normally dangerous because it runs with write privileges againstgithub.event.pull_request.head.ref— i.e. attacker-controlled code. This workflow never does acheckoutand never executes anything from the PR. It only callsoctokit(pulls.listFiles,issues.addLabels,issues.createComment) which read metadata and write labels/comments. There is no code-execution surface from the fork.Test plan
README.mdgets labeledreadme: pendingand commented instead of erroring/i-promise-this-is-not-a-new-serverstill swaps labels correctly (thehandle-confirmationjob was already fine — it runs onissue_commentwhich doesn't have the fork-token problem — but I addedissues: writethere too for consistency since it callsaddLabels/removeLabel)files.length !== 1 || files[0].filename !== 'README.md'check is unchanged)