Skip to content

fix(github): Use pull_request_target for changelog preview on fork PRs#723

Merged
BYK merged 1 commit intomasterfrom
fix/changelog-preview-fork-prs
Jan 16, 2026
Merged

fix(github): Use pull_request_target for changelog preview on fork PRs#723
BYK merged 1 commit intomasterfrom
fix/changelog-preview-fork-prs

Conversation

@BYK
Copy link
Member

@BYK BYK commented Jan 15, 2026

Summary

Fixes changelog-preview workflow failing with HTTP 403 on PRs from forks.

Problem: The pull_request event provides a read-only GITHUB_TOKEN for fork PRs (security measure), preventing the workflow from posting comments.

Solution: Switch to pull_request_target which runs in the base repository context with write permissions.

Changes

  • Changed event trigger from pull_request to pull_request_target
  • Added explicit ref to checkout step (required because pull_request_target defaults to base branch)
  • Updated documentation to recommend callers use pull_request_target
  • Added security note explaining why this approach is safe

Security

This is safe because:

  • Craft binary is downloaded from releases, not from the PR
  • Only git metadata and .craft.yml config are read
  • No code from the PR is ever executed

@BYK BYK force-pushed the fix/changelog-preview-fork-prs branch 3 times, most recently from f2ba794 to f9d81f3 Compare January 15, 2026 22:53
@github-actions
Copy link
Contributor

github-actions bot commented Jan 15, 2026
edited
Loading

PR Preview Action v1.8.0
Preview removed because the pull request was closed.
2026-01-16 12:00 UTC

@BYK BYK marked this pull request as ready for review January 15, 2026 22:54
@BYK BYK enabled auto-merge (squash) January 15, 2026 22:54
sentry[bot]
sentry bot reviewed Jan 15, 2026
View reviewed changes
@BYK
fix(github): Use pull_request_target for changelog preview on fork PRs
499b4cc 
The changelog-preview workflow failed with HTTP 403 when trying to post
comments on PRs from forks because the pull_request event provides a
read-only GITHUB_TOKEN for security reasons.

Switch to pull_request_target which runs in the base repo context with
write permissions. This requires explicitly specifying the PR merge ref
for checkout since pull_request_target defaults to the base branch.

This is safe because the workflow only reads git metadata and config -
no PR code is executed (Craft binary comes from releases).
@BYK BYK force-pushed the fix/changelog-preview-fork-prs branch from f9d81f3 to 499b4cc Compare January 15, 2026 23:07
@BYK BYK merged commit d0f6f7d into master Jan 16, 2026
15 of 16 checks passed
@BYK BYK deleted the fix/changelog-preview-fork-prs branch January 16, 2026 12:00
@sentry-release-bot sentry-release-bot bot mentioned this pull request Jan 22, 2026
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sentry sentry[bot] sentry[bot] left review comments

@betegon betegon betegon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BYK @betegon