Skip to content

fix(ci): use workflow_run pattern to restore write access for fork PR previews#43

Merged
likeajumprope merged 2 commits into
mainfrom
copilot/fix-deploy-preview-job-another-one
Jun 11, 2026
Merged

fix(ci): use workflow_run pattern to restore write access for fork PR previews#43
likeajumprope merged 2 commits into
mainfrom
copilot/fix-deploy-preview-job-another-one

Conversation

Copilot AI commented Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

GitHub silently restricts GITHUB_TOKEN to read-only when a pull_request_target workflow is triggered by a fork PR that modifies any file under .github/workflows/ — regardless of permissions: contents: write in the workflow. PR #40 modifies deploy.yml, which triggered this restriction and caused the peaceiris/actions-gh-pages push to fail with 403.

Changes

  • pr-preview.yml — stripped down to build-only; no longer pushes to gh-pages

    • Drops contents: write; now runs with contents: read
    • On open/sync: builds the frontend and uploads dist as a workflow artifact (pr-preview-{N})
    • On close: uploads a small signal artifact (pr-closed-{N}) to trigger cleanup downstream

  • .github/workflows/pr-deploy.yml (new) — handles all write operations via workflow_run

    • workflow_run always executes in the base repo's context and is not subject to the fork-workflow-file token restriction
    • deploy-preview job: downloads pr-preview-* artifact → deploys to gh-pages → posts/updates PR comment
    • cleanup-preview job: downloads pr-closed-* artifact → checks out gh-pages → removes preview directory
# pr-deploy.yml — gets full write access regardless of fork restrictions
on:
  workflow_run:
    workflows: ["PR Preview"]
    types: [completed]

permissions:
  contents: write
  pull-requests: write
  actions: read   # needed to download artifacts from the triggering run

fix(ci): use workflow_run pattern to fix deploy-preview permissions o…
68d97cd 
…n fork PRs

GitHub restricts GITHUB_TOKEN to read-only for pull_request_target workflows
triggered by a fork PR that modifies any workflow file (even with an explicit
`contents: write` declaration). PR #40 modifies deploy.yml, causing the
403 Permission denied when peaceiris/actions-gh-pages tries to push to gh-pages.

Fix: split into two workflows following the GitHub-recommended workflow_run
pattern:
- pr-preview.yml: build-only (contents: read), uploads dist as artifact
- pr-deploy.yml: triggered by workflow_run, always gets full write access
  from the base repository's token regardless of fork restrictions
Copilot AI changed the title [WIP] Fix failing GitHub Actions job deploy-preview fix(ci): use workflow_run pattern to restore write access for fork PR previews Jun 11, 2026
Copilot AI requested a review from likeajumprope June 11, 2026 14:48
@github-actions

github-actions Bot commented Jun 11, 2026

Copy link
Copy Markdown
Contributor

🔍 PR Preview

Preview URL: https://ReproNim.github.io/ReproInventory/pr-previews/pr-43/

Last updated: Thu, 11 Jun 2026 15:06:04 GMT

@likeajumprope likeajumprope marked this pull request as ready for review June 11, 2026 15:43
@likeajumprope likeajumprope merged commit ff61b77 into main Jun 11, 2026
3 checks passed
github-actions Bot added a commit that referenced this pull request Jun 11, 2026
@github-actions
chore: remove PR preview for #43
e9d25d7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@likeajumprope likeajumprope likeajumprope approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@likeajumprope likeajumprope

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@likeajumprope