From 48cb0b70139de20906293ced4c51f561a62dbcde Mon Sep 17 00:00:00 2001
From: Uruk <contact@uruk.dev>
Date: Tue, 30 Sep 2025 12:17:38 +0200
Subject: [PATCH] fix: prevent permission errors when workflow runs from forks

Adds fork detection to skip comment operations when running from external repositories, preventing 403 permission errors.

Implements early exit when pull request or workflow run originates from a fork, and wraps comment operations in try-catch to handle remaining permission issues gracefully by logging build status instead.
---
 .github/workflows/artifact-comment.yml | 84 +++++++++++++++++---------
 1 file changed, 57 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/artifact-comment.yml b/.github/workflows/artifact-comment.yml
index d032dd67..e6d902b1 100644
--- a/.github/workflows/artifact-comment.yml
+++ b/.github/workflows/artifact-comment.yml
@@ -29,6 +29,17 @@ jobs:
         uses: actions/github-script@v8
         with:
           script: |
+            // Check if we're running from a fork
+            const isFromFork = context.payload.pull_request?.head?.repo?.full_name !== context.repo.owner + '/' + context.repo.repo;
+            const workflowFromFork = context.payload.workflow_run?.head_repository?.full_name !== context.repo.owner + '/' + context.repo.repo;
+
+            if (isFromFork || workflowFromFork) {
+              console.log('🚫 Workflow running from fork - skipping comment creation to avoid permission errors');
+              console.log('Fork repository:', context.payload.pull_request?.head?.repo?.full_name || context.payload.workflow_run?.head_repository?.full_name);
+              console.log('Target repository:', context.repo.owner + '/' + context.repo.repo);
+              return;
+            }
+
             // Handle repository_dispatch, pull_request, and manual dispatch events
             let pr;
             let targetCommitSha;
@@ -403,34 +414,53 @@ jobs:
             commentBody += `<sub>*Auto-generated by [GitHub Actions](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})*</sub>`;
             commentBody += `\n<!-- streamyfin-artifact-comment -->`;
 
-            // Find existing bot comment to update
-            const { data: comments } = await github.rest.issues.listComments({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: pr.number
-            });
-
-            const botComment = comments.find(comment => 
-              comment.user.type === 'Bot' && 
-              comment.body.includes('<!-- streamyfin-artifact-comment -->')
-            );
-
-            if (botComment) {
-              // Update existing comment
-              await github.rest.issues.updateComment({
+            // Try to find existing bot comment to update (with permission check)
+            try {
+              const { data: comments } = await github.rest.issues.listComments({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
-                comment_id: botComment.id,
-                body: commentBody
+                issue_number: pr.number
               });
-              console.log(`✅ Updated comment ${botComment.id} on PR #${pr.number}`);
-            } else {
-              // Create new comment
-              await github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: pr.number,
-                body: commentBody
-              });
-              console.log(`✅ Created new comment on PR #${pr.number}`);
+
+              const botComment = comments.find(comment => 
+                comment.user.type === 'Bot' && 
+                comment.body.includes('<!-- streamyfin-artifact-comment -->')
+              );
+
+              if (botComment) {
+                // Update existing comment
+                await github.rest.issues.updateComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  comment_id: botComment.id,
+                  body: commentBody
+                });
+                console.log(`✅ Updated comment ${botComment.id} on PR #${pr.number}`);
+              } else {
+                // Create new comment
+                await github.rest.issues.createComment({
+                  owner: context.repo.owner,
+                  repo: context.repo.repo,
+                  issue_number: pr.number,
+                  body: commentBody
+                });
+                console.log(`✅ Created new comment on PR #${pr.number}`);
+              }
+            } catch (error) {
+              if (error.status === 403) {
+                console.log('🚫 Permission denied - likely running from a fork. Skipping comment creation.');
+                console.log('Error details:', error.message);
+                
+                // Log the build status instead of commenting
+                console.log('📊 Build Status Summary:');
+                for (const target of buildTargets) {
+                  const matchingStatus = buildStatuses[target.statusKey];
+                  if (matchingStatus) {
+                    console.log(`- ${target.name}: ${matchingStatus.status}/${matchingStatus.conclusion || 'none'}`);
+                  }
+                }
+              } else {
+                // Re-throw other errors
+                throw error;
+              }
             }