Skip to content

GH Actions: fix PR comment conundrum #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 31, 2025
Merged

GH Actions: fix PR comment conundrum #43

merged 1 commit into from
Jul 31, 2025

Conversation

jrfnl
Copy link
Member

@jrfnl jrfnl commented Jul 31, 2025
edited
Loading

Description

As described in issue #42, the PR comment to review the pre-processed wiki files was not being posted on PRs coming from forks, while it is all the more relevant for those, as outside contributors may not be aware of the artifact with the wiki files being available.

I've now done some more research into this and believe the changes in this PR will fix this.

The most important take-away from my research is as follows:

  • Workflows triggered by a PR from a fork only have "read" access via the secrets.GITHUB_TOKEN and no access to Personal Access Tokens.
  • However, workflows can trigger other workflows and those "follow-on" workflows can have "write" access via the secrets.GITHUB_TOKEN as they are run in the context of the main branch, not in the context of the PR branch (which is also why I had to briefly use main to test this PR).

So, with that in mind, I've moved the "comment on PR" step to a separate workflow which is triggered once the "Publish wiki" workflow has completed and will only run for pull requests.

This new workflow had access to the artifacts created by the triggering workflow, but doesn't have access to much else, while it needs access to the PR number of the PR which triggered the workflow cascade + access to the download URL for the wiki files artifact.

Those pieces of information are both available in the "triggering workflow", so we need to store them in - you guessed it - an artifact, so that info can then be retrieved by the second (PR comment) workflow.

Other notes:

  • The "Deploy to wiki" dry-run was failing for PRs from forks (though this was hidden by the earlier step for the comment failing) with the following error: fatal: could not read Username for 'https://github.com': No such device or address.
    As the "Deploy to wiki" step needs a Personal Access Token for the push to the wiki, this is no great surprise, what with PRs from forks not having access to the PAT.
    Switching to the secrets.GITHUB_TOKEN just and only for the dry-run, unfortunately would still fail for PRs from works, so I've now made the "Deploy to wiki" step conditional on the workflow either not being triggered by a PR or the PR not coming from a fork.

Related issues/external references

Fixes #42

Refs:

Additional info

I've tested this by briefly adding just the new pr-comment.yml workflow to the main branch and then rebasing this PR on top of the "temporary" main branch. As can be seen via the below comment, the workflow changes are working (keep in mind, this PR is coming from a fork to allow for testing this change).

@jrfnl jrfnl force-pushed the feature/42-fix-PR-auto-comment branch 5 times, most recently from 9b65742 to 44ed45d Compare July 31, 2025 02:15
@github-actions GitHub Actions
Copy link

=== This is an auto-generated comment ===

Thank you for your PR.
A dry-run has been executed on your PR, executing all markdown pre-processing for the wiki files.

Please review the resulting final markdown files via the created artifact.
This is especially important when adding new pages or updating auto-generated output blocks.

N.B.: the above link will automatically be updated when this PR is updated.

@jrfnl jrfnl force-pushed the feature/42-fix-PR-auto-comment branch from 44ed45d to 834e6d5 Compare July 31, 2025 02:45
@jrfnl
GH Actions: fix PR comment conundrum
27ba5e0 
As described in issue 42, the PR comment to review the pre-processed wiki files was not being posted on PRs coming from forks, while it is all the more relevant for those, as outside contributors may not be aware of the artifact with the wiki files being available.

I've now done some more research into this and believe the changes in this PR will fix this.

The most important take-away from my research is as follows:
* Workflows triggered by a PR from a fork only have "read" access via the `secrets.GITHUB_TOKEN` and no access to Personal Access Tokens.
* However, workflows can trigger other workflows and those "follow-on" workflows **_can_** have "write" access via the `secrets.GITHUB_TOKEN` as they are run in the context of the `main` branch, not in the context of the PR branch (which is also why I had to briefly use `main` to test this PR).

So, with that in mind, I've moved the "comment on PR" step to a separate workflow which is triggered once the "Publish wiki" workflow has completed and will only run for pull requests.

This new workflow had access to the artifacts created by the triggering workflow, but doesn't have access to much else, while it needs access to the PR number of the PR which triggered the workflow cascade + access to the download URL for the wiki files artifact.

Those pieces of information are both available in the "triggering workflow", so we need to store them in - you guessed it - an artifact, so that info can then be retrieved by the second (PR comment) workflow.

Other notes:
* The "Deploy to wiki" dry-run was failing for PRs from forks (though this was hidden by the earlier step for the comment failing) with the following error: "fatal: could not read Username for 'https://github.com': No such device or address".
    As the "Deploy to wiki" step needs a Personal Access Token for the push to the wiki, this is no great surprise, what with PRs from forks not having access to the PAT.
    Switching to the `secrets.GITHUB_TOKEN` just and only for the dry-run, unfortunately would still fail for PRs from works, so I've now made the "Deploy to wiki" step conditional on the workflow either not being triggered by a PR _or_ the PR not coming from a fork.

Fixes 42

Refs:
* https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#using-data-from-the-triggering-workflow
@jrfnl jrfnl force-pushed the feature/42-fix-PR-auto-comment branch from 834e6d5 to 27ba5e0 Compare July 31, 2025 02:53
@jrfnl jrfnl marked this pull request as ready for review July 31, 2025 02:57
@jrfnl jrfnl changed the title [WIP/TESTING] GH Actions: fix PR comment conundrum GH Actions: fix PR comment conundrum Jul 31, 2025
@jrfnl jrfnl merged commit fd371e0 into PHPCSStandards:main Jul 31, 2025
10 checks passed
@jrfnl jrfnl deleted the feature/42-fix-PR-auto-comment branch July 31, 2025 02:57
@jrfnl jrfnl mentioned this pull request Jul 31, 2025
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Component: Wiki Type: chores/QA/automation
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

GH Actions: auto-comment on PR does not work for PRs coming from forks
1 participant
@jrfnl