fix: LinkBot fork permission issue

[Mounil2005]

Description:
Fix LinkBot permission issue for fork PRs by changing trigger to pull_request_target

• Change workflow trigger from pull_request to pull_request_target to fix 403 permission errors
• Add issues: write permission for proper commenting access on fork PRs
• Add workflow_dispatch support for manual testing with DRY_RUN functionality
• Update JavaScript script to handle both pull_request_target and workflow_dispatch events
• Add comprehensive logging and DRY_RUN mode for safe testing on forks
• Update changelog with fix details

Related issue(s):

Fixes #1183

Notes for reviewer:
The core issue was that GITHUB_TOKEN has restricted permissions for fork PRs under pull_request trigger, causing 403 "Resource not accessible by integration" errors when LinkBot tried to comment. The pull_request_target trigger runs in the base repository context with proper permissions, resolving the permission issue while maintaining security by not executing untrusted code from forks.

Added DRY_RUN functionality allows contributors to safely test the workflow on forks without actually posting comments - it only logs what would happen.

Checklist

• Documented (Code comments, README, etc.)
• Tested (unit, integration, etc.)

[github-actions]

Hi, this is WorkflowBot.
Your pull request cannot be merged as it is not passing all our workflow checks.
Please click on each check to review the logs and resolve issues so all checks pass.
To help you:

• DCO signing guide
• Changelog guide
• Merge conflicts guide
• Rebase guide
• Testing guide
• Discord
• Community Calls
  Thank you for contributing!
  From the Hiero Python SDK Team

[coderabbitai]

Warning

Rate limit exceeded

@Mounil2005 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 14 minutes and 41 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between f65d2cc and 8dbb257.

📒 Files selected for processing (2)

• .github/scripts/bot-pr-missing-linked-issue.js
• .github/workflows/bot-pr-missing-linked-issue.yml

📝 Walkthrough

Walkthrough

Workflow trigger changed to pull_request_target and added workflow_dispatch inputs; the Node script was updated to fetch PR data when missing, use DRY_RUN/PR_NUMBER env vars, detect existing LinkBot comments, and conditionally post or log comments. CHANGELOG updated.

Changes

Cohort / File(s)	Summary
Workflow Definition .github/workflows/bot-pr-missing-linked-issue.yml	Switched trigger from pull_request to pull_request_target; added workflow_dispatch with pr_number and dry_run inputs; granted issues: write permission; updated concurrency key to use event inputs or payload; added ref: main to checkout; sets DRY_RUN and PR_NUMBER env vars.
Bot Script .github/scripts/bot-pr-missing-linked-issue.js	Uses DRY_RUN and PR_NUMBER env vars (fallback to context); fetches PR data when payload lacks it (workflow_dispatch); replaces direct payload access with prData/prNumber; checks for existing LinkBot comments; builds comment using prData.user.login and prData.body; logs instead of posting in dry-run.
Changelog CHANGELOG.md	Added Unreleased note: "Fixed LinkBot permission issue for fork PRs by changing trigger to pull_request_target and adding proper permissions."

Sequence Diagram(s)

mermaid
sequenceDiagram
participant WF as GitHub Workflow
participant Runner as Actions Runner
participant Script as bot-pr-missing-linked-issue.js
participant GH_API as GitHub API
note over WF,Runner: New: supports pull_request_target and workflow_dispatch (pr_number, dry_run)
WF->>Runner: start job (event or manual with inputs)
Runner->>Script: run script with env DRY_RUN, PR_NUMBER
Script->>GH_API: GET /repos/.../pulls/:pr_number (if payload missing)
GH_API-->>Script: PR data (prData)
Script->>GH_API: GET /repos/.../issues/:pr_number/comments
GH_API-->>Script: existing comments
alt No LinkBot comment found
Script->>GH_API: POST issue comment (unless DRY_RUN=true)
GH_API-->>Script: comment created
else LinkBot comment exists
Script-->>Runner: log "LinkBot comment exists" (or dry-run log)
end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix: LinkBot fork permission issue' clearly and concisely summarizes the main change: fixing a permission issue with LinkBot on fork PRs.
Description check	✅ Passed	The description provides detailed context about the permission issue, the fix approach, and related changes, directly relating to the changeset.
Linked Issues check	✅ Passed	The PR addresses all coding requirements from issue #1183: changing trigger to pull_request_target, adding issues:write permission, updating the JavaScript script, and adding DRY_RUN functionality.
Out of Scope Changes check	✅ Passed	All changes are scoped to fixing the LinkBot permission issue: workflow trigger change, permission additions, script logic updates, changelog entry, and DRY_RUN feature.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cadae31 and 5ee6289.

📒 Files selected for processing (3)

• .github/scripts/bot-pr-missing-linked-issue.js
• .github/workflows/bot-pr-missing-linked-issue.yml
• CHANGELOG.md

🧰 Additional context used

📓 Path-based instructions (2)

.github/scripts/**/*.js

⚙️ CodeRabbit configuration file

.github/scripts/**/*.js: Review JavaScript scripts as long-lived automation code.

Scripts must remain:

• Focused

• Readable

• Purpose-built

• All context.payload fields MUST be validated

• Free-form text MUST NOT be trusted

• Dynamic code execution is prohibited

• Avoid child_process.exec; prefer execFile if needed

• All async operations MUST be wrapped in try/catch

• Errors MUST include contextual metadata

• Duplicate API calls MUST be avoided

• Marker-based deduplication is required

• Scripts MUST NOT assume write access

• Permission failures MUST be handled gracefully

Files:

• .github/scripts/bot-pr-missing-linked-issue.js

.github/workflows/**/*

⚙️ CodeRabbit configuration file

.github/workflows/**/*: Review workflows as security-sensitive infrastructure.

A good workflow is small, focused, and boring.
If a workflow is clever, generic, or overly flexible, it is a risk.

---

PRIORITY 0 — ABSOLUTE REQUIREMENTS

• All third-party actions MUST be pinned to full commit SHAs, similar to other workflows.
• permissions: MUST be explicitly declared and minimally scoped.
• Workflows MUST behave safely when executed from forks.
• YAML MUST orchestrate steps, not implement business logic.
• Any workflow that mutates GitHub state MUST support dry-run mode.
• Dry-run behavior must be explicit and visible in logs.
• Workflows MUST NOT modify repository source code outside .github/.

---

PRIORITY 1 — SCOPE, FOCUS & RESTRAINT

• The title of each workflow must be relevant, match similar naming schemes, and match its script filename.
• Each workflow MUST have a single, clearly defined objective and SHOULD document this in a top-level comment.
• Flag workflows that:
  • Attempt to be generic “frameworks”
  • Include speculative or future-facing logic
  • Perform actions unrelated to the stated goal
• Over-abstraction and excess flexibility are maintenance risks.

---

PRIORITY 2 — INPUT HARDENING

• Treat ALL GitHub event data as potentially hostile input, including:
  • issue titles, bodies, and comments
  • labels, usernames, branch names
• Free-form user input MUST NOT be passed directly into:
  • shell commands
  • gh CLI arguments
  • Node.js exec / spawn calls
• Require strict allowlists or exact string matches.
• Flag any use of:
  • eval or bash -c
  • backticks or $(...) with user-controlled input

------------------...

Files:

• .github/workflows/bot-pr-missing-linked-issue.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Codacy Static Code Analysis

🔇 Additional comments (7)

CHANGELOG.md (1)

158-158: LGTM - Changelog entry is clear and appropriate.

The changelog entry accurately documents the fix for the LinkBot permission issue on fork PRs.

.github/workflows/bot-pr-missing-linked-issue.yml (3)

4-16: Verify pull_request_target behavior with fork PRs.

The trigger change from pull_request to pull_request_target is correct for fixing fork PR permission issues. This allows the workflow to run with write permissions while checking out trusted code (main branch).

Ensure you've tested this with an actual fork PR to confirm:

• The workflow runs successfully on fork PRs
• Comments are posted correctly
• The workflow doesn't execute any untrusted code from the fork

Based on coding guidelines, workflows must behave safely when executed from forks.

---

18-21: LGTM - Permissions are correctly scoped.

The permissions are explicitly declared and minimal:

• issues: write - needed for posting comments
• pull-requests: write - needed for PR operations
• contents: read - needed for checkout

Based on coding guidelines, PRIORITY 7 — PERMISSION CORRECTNESS.

---

39-40: LGTM - Correct use of ref: main for security.

Checking out main is essential when using pull_request_target to avoid executing untrusted code from fork PRs. This ensures only the trusted script from the base repository is executed.

Based on coding guidelines, workflows must behave safely when executed from forks.

.github/scripts/bot-pr-missing-linked-issue.js (3)

5-19: LGTM - Good handling of both trigger types.

The script correctly handles both pull_request_target (where context.payload.pull_request exists) and workflow_dispatch (where PR data must be fetched). This provides good flexibility for testing.

---

30-37: LGTM - Proper idempotent comment detection.

The marker-based detection (includes("this is LinkBot")) prevents duplicate comments, which is essential for idempotent workflow execution.

Based on coding guidelines, duplicate prevention is required.

---

59-72: LGTM - Excellent dry-run implementation.

The dry-run logic is clear and visible in logs, showing exactly what would be posted without actually mutating state. This matches the guidelines perfectly.

Based on coding guidelines, PRIORITY 3 — DRY-RUN & SAFE OPERATION.

[coderabbitai]

Actionable comments posted: 4

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5ee6289 and f65d2cc.

📒 Files selected for processing (3)

• .github/scripts/bot-pr-missing-linked-issue.js
• .github/workflows/bot-pr-missing-linked-issue.yml
• CHANGELOG.md

🧰 Additional context used

📓 Path-based instructions (2)

.github/scripts/**/*.js

⚙️ CodeRabbit configuration file

.github/scripts/**/*.js: Review JavaScript scripts as long-lived automation code.

Scripts must remain:

• Focused

• Readable

• Purpose-built

• All context.payload fields MUST be validated

• Free-form text MUST NOT be trusted

• Dynamic code execution is prohibited

• Avoid child_process.exec; prefer execFile if needed

• All async operations MUST be wrapped in try/catch

• Errors MUST include contextual metadata

• Duplicate API calls MUST be avoided

• Marker-based deduplication is required

• Scripts MUST NOT assume write access

• Permission failures MUST be handled gracefully

Files:

• .github/scripts/bot-pr-missing-linked-issue.js

.github/workflows/**/*

⚙️ CodeRabbit configuration file

.github/workflows/**/*: Review workflows as security-sensitive infrastructure.

A good workflow is small, focused, and boring.
If a workflow is clever, generic, or overly flexible, it is a risk.

---

PRIORITY 0 — ABSOLUTE REQUIREMENTS

• All third-party actions MUST be pinned to full commit SHAs, similar to other workflows.
• permissions: MUST be explicitly declared and minimally scoped.
• Workflows MUST behave safely when executed from forks.
• YAML MUST orchestrate steps, not implement business logic.
• Any workflow that mutates GitHub state MUST support dry-run mode.
• Dry-run behavior must be explicit and visible in logs.
• Workflows MUST NOT modify repository source code outside .github/.

---

PRIORITY 1 — SCOPE, FOCUS & RESTRAINT

• The title of each workflow must be relevant, match similar naming schemes, and match its script filename.
• Each workflow MUST have a single, clearly defined objective and SHOULD document this in a top-level comment.
• Flag workflows that:
  • Attempt to be generic “frameworks”
  • Include speculative or future-facing logic
  • Perform actions unrelated to the stated goal
• Over-abstraction and excess flexibility are maintenance risks.

---

PRIORITY 2 — INPUT HARDENING

• Treat ALL GitHub event data as potentially hostile input, including:
  • issue titles, bodies, and comments
  • labels, usernames, branch names
• Free-form user input MUST NOT be passed directly into:
  • shell commands
  • gh CLI arguments
  • Node.js exec / spawn calls
• Require strict allowlists or exact string matches.
• Flag any use of:
  • eval or bash -c
  • backticks or $(...) with user-controlled input

------------------...

Files:

• .github/workflows/bot-pr-missing-linked-issue.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Codacy Static Code Analysis

🔇 Additional comments (5)

CHANGELOG.md (1)

158-158: LGTM!

The changelog entry accurately documents the fix for fork PR permissions by noting the trigger change to pull_request_target and the addition of proper permissions.

.github/scripts/bot-pr-missing-linked-issue.js (1)

59-72: DRY_RUN implementation and marker-based deduplication look good.

The script correctly logs intended actions instead of posting when DRY_RUN=true, and uses marker-based detection to prevent duplicate comments.

.github/workflows/bot-pr-missing-linked-issue.yml (3)

37-40: Security pattern correctly implemented.

Using pull_request_target with ref: main checkout is the correct approach. This ensures the workflow has write permissions for fork PRs while only executing trusted code from the base branch, not untrusted code from the fork.

---

18-21: Permissions and action SHA pins are correctly configured.

Actions are pinned to full commit SHAs as required. Permissions are explicitly declared and appropriately scoped:

• pull-requests: write for PR operations
• contents: read for checkout
• issues: write for posting comments (GitHub API treats PR comments as issue comments)

Also applies to: 32-48

---

43-46: Environment variable configuration looks correct.

The DRY_RUN and PR_NUMBER variables are properly sourced from the appropriate event context with fallbacks for both pull_request_target and workflow_dispatch triggers.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

@@           Coverage Diff           @@
##             main    #1363   +/-   ##
=======================================
  Coverage   92.29%   92.29%           
=======================================
  Files         139      139           
  Lines        8515     8515           
=======================================
  Hits         7859     7859           
  Misses        656      656           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.