fix: support fork PRs in commit-recordings workflow

.github/workflows/commit-recordings.yml

@@ -154,15 +154,37 @@ jobs:
             core.setOutput('head_sha', headSha);
             core.setOutput('is_fork_pr', headRepo !== `${context.repo.owner}/${context.repo.repo}`);
 
-      - name: Checkout PR branch
-        if: steps.pr-info.outputs.skip != 'true'
+      - name: Preserve artifacts before checkout
+        if: steps.pr-info.outputs.skip != 'true' && steps.pr-info.outputs.is_fork_pr != 'true'
+        run: mv recordings-temp /tmp/recordings-temp 2>/dev/null || true
+
+      - name: Checkout PR branch (same-repo)
+        if: steps.pr-info.outputs.skip != 'true' && steps.pr-info.outputs.is_fork_pr != 'true'
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: ${{ steps.pr-info.outputs.head_repo }}
           ref: ${{ steps.pr-info.outputs.head_ref }}
           fetch-depth: 0
           token: ${{ github.token }}
 
+      - name: Restore artifacts after checkout
+        if: steps.pr-info.outputs.skip != 'true' && steps.pr-info.outputs.is_fork_pr != 'true'
+        run: mv /tmp/recordings-temp recordings-temp 2>/dev/null || true
+
+      - name: Checkout PR branch (fork)
+        if: steps.pr-info.outputs.skip != 'true' && steps.pr-info.outputs.is_fork_pr == 'true'
+        env:
+          # RELEASE_PAT has repo scope, which allows cloning and pushing to fork
+          # PR branches when maintainerCanModify is enabled. github.token can't do this.
+          GH_TOKEN: ${{ secrets.RELEASE_PAT }}
+          HEAD_REPO: ${{ steps.pr-info.outputs.head_repo }}
+          HEAD_REF: ${{ steps.pr-info.outputs.head_ref }}
+        run: |
+          # Move artifacts out of the way before cloning, then restore after.
+          mv recordings-temp /tmp/recordings-temp 2>/dev/null || true
+          git clone --depth 1 --branch "${HEAD_REF}" "https://x-access-token:${GH_TOKEN}@github.com/${HEAD_REPO}.git" .
+          mv /tmp/recordings-temp recordings-temp 2>/dev/null || true
+
       - name: Copy recordings to repo
         if: steps.pr-info.outputs.skip != 'true'
         run: |
@@ -186,7 +208,7 @@ jobs:
       - name: Commit and push recordings
         if: steps.pr-info.outputs.skip != 'true'
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.pr-info.outputs.is_fork_pr == 'true' && secrets.RELEASE_PAT || github.token }}
           PR_NUMBER: ${{ steps.pr-info.outputs.pr_number }}
           HEAD_REPO: ${{ steps.pr-info.outputs.head_repo }}
           HEAD_REF: ${{ steps.pr-info.outputs.head_ref }}

.github/workflows/record-integration-tests.yml

@@ -89,11 +89,12 @@ jobs:
           if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
             if [ -n "$INPUT_PR_NUMBER" ]; then
               # Fetch PR info via API
-              PR_DATA=$(gh pr view "$INPUT_PR_NUMBER" --repo "$REPO" --json number,headRefName,headRefOid,headRepository)
+              PR_DATA=$(gh pr view "$INPUT_PR_NUMBER" --repo "$REPO" --json number,headRefName,headRefOid,headRepository,headRepositoryOwner)
               PR_NUMBER="$INPUT_PR_NUMBER"
               HEAD_REF=$(echo "$PR_DATA" | jq -r '.headRefName')
               HEAD_SHA=$(echo "$PR_DATA" | jq -r '.headRefOid')
-              HEAD_REPO=$(echo "$PR_DATA" | jq -r '.headRepository.nameWithOwner')
+              # headRepository.nameWithOwner can be empty for fork PRs, so construct it manually
+              HEAD_REPO=$(echo "$PR_DATA" | jq -r '"\(.headRepositoryOwner.login)/\(.headRepository.name)"')
             else
               # Use current branch
               PR_NUMBER="manual"