fix: prevent permission errors when workflow runs from forks

Adds fork detection to skip comment operations when running from external repositories, preventing 403 permission errors.

Implements early exit when pull request or workflow run originates from a fork, and wraps comment operations in try-catch to handle remaining permission issues gracefully by logging build status instead.
This commit is contained in:
Uruk
2025-09-30 12:17:38 +02:00
parent c6ad06b084
commit 48cb0b7013

View File

@@ -29,6 +29,17 @@ jobs:
uses: actions/github-script@v8 uses: actions/github-script@v8
with: with:
script: | script: |
// Check if we're running from a fork
const isFromFork = context.payload.pull_request?.head?.repo?.full_name !== context.repo.owner + '/' + context.repo.repo;
const workflowFromFork = context.payload.workflow_run?.head_repository?.full_name !== context.repo.owner + '/' + context.repo.repo;
if (isFromFork || workflowFromFork) {
console.log('🚫 Workflow running from fork - skipping comment creation to avoid permission errors');
console.log('Fork repository:', context.payload.pull_request?.head?.repo?.full_name || context.payload.workflow_run?.head_repository?.full_name);
console.log('Target repository:', context.repo.owner + '/' + context.repo.repo);
return;
}
// Handle repository_dispatch, pull_request, and manual dispatch events // Handle repository_dispatch, pull_request, and manual dispatch events
let pr; let pr;
let targetCommitSha; let targetCommitSha;
@@ -403,34 +414,53 @@ jobs:
commentBody += `<sub>*Auto-generated by [GitHub Actions](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})*</sub>`; commentBody += `<sub>*Auto-generated by [GitHub Actions](https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})*</sub>`;
commentBody += `\n<!-- streamyfin-artifact-comment -->`; commentBody += `\n<!-- streamyfin-artifact-comment -->`;
// Find existing bot comment to update // Try to find existing bot comment to update (with permission check)
const { data: comments } = await github.rest.issues.listComments({ try {
owner: context.repo.owner, const { data: comments } = await github.rest.issues.listComments({
repo: context.repo.repo,
issue_number: pr.number
});
const botComment = comments.find(comment =>
comment.user.type === 'Bot' &&
comment.body.includes('<!-- streamyfin-artifact-comment -->')
);
if (botComment) {
// Update existing comment
await github.rest.issues.updateComment({
owner: context.repo.owner, owner: context.repo.owner,
repo: context.repo.repo, repo: context.repo.repo,
comment_id: botComment.id, issue_number: pr.number
body: commentBody
}); });
console.log(`✅ Updated comment ${botComment.id} on PR #${pr.number}`);
} else { const botComment = comments.find(comment =>
// Create new comment comment.user.type === 'Bot' &&
await github.rest.issues.createComment({ comment.body.includes('<!-- streamyfin-artifact-comment -->')
owner: context.repo.owner, );
repo: context.repo.repo,
issue_number: pr.number, if (botComment) {
body: commentBody // Update existing comment
}); await github.rest.issues.updateComment({
console.log(`✅ Created new comment on PR #${pr.number}`); owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: commentBody
});
console.log(`✅ Updated comment ${botComment.id} on PR #${pr.number}`);
} else {
// Create new comment
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: pr.number,
body: commentBody
});
console.log(`✅ Created new comment on PR #${pr.number}`);
}
} catch (error) {
if (error.status === 403) {
console.log('🚫 Permission denied - likely running from a fork. Skipping comment creation.');
console.log('Error details:', error.message);
// Log the build status instead of commenting
console.log('📊 Build Status Summary:');
for (const target of buildTargets) {
const matchingStatus = buildStatuses[target.statusKey];
if (matchingStatus) {
console.log(`- ${target.name}: ${matchingStatus.status}/${matchingStatus.conclusion || 'none'}`);
}
}
} else {
// Re-throw other errors
throw error;
}
} }