Skip coverage PR comment on fork pull requests#1404
Conversation
The `orgoro/coverage` action requires `pull-requests: write` permissions to post its summary comment. However, GitHub's default security model restricts the `GITHUB_TOKEN` to read-only for pull requests originating from external forks, which was resulting in pipeline failures with: `HttpError: Resource not accessible by integration`. Added a condition to ensure the job only evaluates when `github.event.pull_request.head.repo.full_name == github.repository`, cleanly skipping the step for external contributors instead of failing.
amilcarlucas
force-pushed
the
do_not_push_test_results_to_fork_repos
branch
from
adf5cc9 to
e988119
Compare
There was a problem hiding this comment.
Pull request overview
Updates the CI workflow to avoid failing coverage-comment posting on pull requests from external forks by gating the job on whether the PR head repo matches the base repository.
Changes:
- Add a repository-equality condition to the coverage-comment job so it only runs for non-fork PRs.
|
|
||
| add_coverage_to_pullrequest: | ||
| if: github.event_name == 'pull_request' && (success() || failure()) | ||
| if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && (success() || failure()) |
There was a problem hiding this comment.
(success() || failure()) is a common workaround to run after a failed dependency, but GitHub Actions provides always() for this use case and it also covers canceled runs. Consider replacing (success() || failure()) with always() to ensure the job runs in all terminal states while still keeping the fork guard.
| if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && (success() || failure()) | |
| if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && always() |
☂️ Python Coverage
Overall Coverage
New FilesNo new covered files... Modified FilesNo covered modified files...
|
Test Results 4 files 4 suites 40m 49s ⏱️ Results for commit e988119. |
The
orgoro/coverageaction requirespull-requests: writepermissions to post its summary comment. However, GitHub's default security model restricts theGITHUB_TOKENto read-only for pull requests originating from external forks, which was resulting in pipeline failures with:HttpError: Resource not accessible by integration.Added a condition to ensure the job only evaluates when
github.event.pull_request.head.repo.full_name == github.repository, cleanly skipping the step for external contributors instead of failing.