Skip to content

fix: split build/comment workflows to fix fork PR permissions#48

Merged
RadicalMuffinMan merged 2 commits intoMoonfin-Client:masterfrom
enyineer:fix/secure-pr-comments
Mar 14, 2026
Merged

fix: split build/comment workflows to fix fork PR permissions#48
RadicalMuffinMan merged 2 commits intoMoonfin-Client:masterfrom
enyineer:fix/secure-pr-comments

Conversation

@enyineer
Copy link
Contributor

@enyineer enyineer commented Mar 13, 2026

Problem

The build workflow from PR #42 fails on fork PRs with:

Error: Unhandled error: HttpError: Resource not accessible by integration

See: Failed run on PR #43

This happens because pull_request events from forks run with a read-only GITHUB_TOKEN. The workflow tries to post a PR comment (pull-requests: write), which is blocked by GitHub's security model for fork PRs — regardless of the permissions block in the YAML.

Fix

Split the workflow into two files:

Workflow Trigger Access Purpose
build.yml pull_request Read-only Builds the plugin, uploads outcomes + logs as a build-results artifact
comment.yml workflow_run Write Reads the artifact, posts the PR comment — never checks out or runs fork code

This is the recommended secure pattern from GitHub Security Lab. The comment.yml workflow runs in the base repo context with write access, but only reads trusted artifact data — it never executes untrusted code from the PR.

Additional improvements included

  • set -o pipefail on build steps (prevents tee from masking exit codes)
  • Step dependency guards (downstream steps skip when a predecessor fails)
  • Packaging steps gated on successful build

@enyineer
fix: split build/comment into two workflows for fork PR security
ef48634 
The build workflow uses pull_request (read-only, safe for fork code).
The comment workflow uses workflow_run (write access, never runs
untrusted code — only reads the build-results artifact).
@enyineer enyineer mentioned this pull request Mar 13, 2026
Open
@enyineer
Copy link
Contributor Author

enyineer commented Mar 13, 2026

Tested in my Fork: enyineer#3

Workflow works like before, should now also work in this repo for Fork-PRs as soon as it's merged to master.

RadicalMuffinMan
RadicalMuffinMan requested changes Mar 13, 2026
View reviewed changes
@RadicalMuffinMan RadicalMuffinMan merged commit 8c538be into Moonfin-Client:master Mar 14, 2026
1 check passed
@enyineer enyineer deleted the fix/secure-pr-comments branch March 14, 2026 08:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RadicalMuffinMan RadicalMuffinMan RadicalMuffinMan requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@enyineer @RadicalMuffinMan