Post CI failure comments on fork PRs via workflow_run#52
Conversation
The "report" job's PR comment step was failing silently (403 Resource not accessible by integration) for every fork-originated PR, since GITHUB_TOKEN is read-only for pull_request runs triggered by forks. Confirmed against PR #49 (a fork PR): the comment body was built correctly but the POST itself was rejected, and continue-on-error hid the failure entirely -- no comment ever appeared. Split the work in two: "report" now builds the comment body and uploads it as an artifact instead of posting it directly, dropping its pull-requests: write permission since it no longer needs it. A new workflow, comment-on-pr.yml, triggers on workflow_run once CI completes and posts/updates the comment from there -- workflow_run always runs with the base repo's own permissions using this file as committed on the default branch, regardless of which fork triggered the original run, so it works for both fork and same-repo PRs without granting fork code any elevated token access.
|
Warning Review limit reached
More reviews will be available in 14 minutes and 33 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|



Summary
GITHUB_TOKENis read-only forpull_requestruns triggered by forks, the comment POST fails with403 Resource not accessible by integration, andcontinue-on-errorhides the failure completely.report's "Build PR comment" step now writes the comment body to apr-comment.jsonartifact instead of posting it directly, and the job no longer needs/haspull-requests: write.comment-on-pr.ymlworkflow triggers onworkflow_runonce CI completes, downloads that artifact, and posts/updates the sticky comment.workflow_runalways executes using this file as committed onmainwith the base repo's own permissions, regardless of which fork triggered the original run -- nothing from the PR branch executes in this second workflow.context.issue.number), not fromworkflow_run's ownpull_requestsfield, which GitHub doesn't reliably populate for fork-triggered runs.Test plan
actionlintandprekpass on both workflow filesmaindoesn't triggercomment-on-pr.ymlinto doing anything (no artifact uploaded, no PR event)