Skip to content

fix(github): Use pull_request_target for changelog preview on fork PRs #723

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
BYK merged 1 commit into from
Jan 16, 2026
Merged

fix(github): Use pull_request_target for changelog preview on fork PRs #723

BYK merged 1 commit into from
Jan 16, 2026

Conversation

@BYK
Copy link
Member

@BYK BYK commented Jan 15, 2026

Summary

Fixes changelog-preview workflow failing with HTTP 403 on PRs from forks.

Problem: The pull_request event provides a read-only GITHUB_TOKEN for fork PRs (security measure), preventing the workflow from posting comments.

Solution: Switch to pull_request_target which runs in the base repository context with write permissions.

Changes

  • Changed event trigger from pull_request to pull_request_target
  • Added explicit ref to checkout step (required because pull_request_target defaults to base branch)
  • Updated documentation to recommend callers use pull_request_target
  • Added security note explaining why this approach is safe

Security

This is safe because:

  • Craft binary is downloaded from releases, not from the PR
  • Only git metadata and .craft.yml config are read
  • No code from the PR is ever executed

@BYK BYK force-pushed the fix/changelog-preview-fork-prs branch 3 times, most recently from f2ba794 to f9d81f3 Compare January 15, 2026 22:53
@github-actions
Copy link
Contributor

github-actions bot commented Jan 15, 2026
edited
Loading

PR Preview Action v1.8.0
Preview removed because the pull request was closed.
2026-01-16 12:00 UTC

@BYK BYK marked this pull request as ready for review January 15, 2026 22:54
@BYK BYK enabled auto-merge (squash) January 15, 2026 22:54
sentry[bot]
sentry bot reviewed Jan 15, 2026
View reviewed changes
@BYK
fix(github): Use pull_request_target for changelog preview on fork PRs
499b4cc 
The changelog-preview workflow failed with HTTP 403 when trying to post
comments on PRs from forks because the pull_request event provides a
read-only GITHUB_TOKEN for security reasons.

Switch to pull_request_target which runs in the base repo context with
write permissions. This requires explicitly specifying the PR merge ref
for checkout since pull_request_target defaults to the base branch.

This is safe because the workflow only reads git metadata and config -
no PR code is executed (Craft binary comes from releases).
@BYK BYK force-pushed the fix/changelog-preview-fork-prs branch from f9d81f3 to 499b4cc Compare January 15, 2026 23:07
@BYK BYK merged commit d0f6f7d into master Jan 16, 2026
15 of 16 checks passed
@BYK BYK deleted the fix/changelog-preview-fork-prs branch January 16, 2026 12:00
@sentry-release-bot sentry-release-bot bot mentioned this pull request Jan 22, 2026
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@betegon betegon betegon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BYK @betegon