Fix artifact comment posting for fork PRs#103
Conversation
The post-artifacts job in c-cpp.yml ran in the PR workflow context,
where GITHUB_TOKEN is read-only for fork PRs (GitHub security policy).
This caused a silent 403 error, so artifact links were never posted.
Fix: move the comment logic to artifacts.yml which uses workflow_run
event — this runs in the base repo context with write permissions.
Also fix the workflow name trigger ("Build" -> "C/C++ CI") and replace
the stale third-party action with actions/github-script.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR fixes artifact link comment posting for fork-based pull requests by moving the PR-commenting logic out of the PR-triggered workflow (read-only token on forks) into a workflow_run-triggered workflow that runs in the base repo context with write permissions.
Changes:
- Removed the PR artifact-comment job (and its permissions block) from
.github/workflows/c-cpp.yml. - Added
.github/workflows/artifacts.ymlto post/update a single “Build Artifacts” comment after successfulC/C++ CIruns, including a fallback PR lookup when the run has no associated PRs.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/c-cpp.yml | Removes in-workflow PR commenting so fork PR runs no longer hit 403s. |
| .github/workflows/artifacts.yml | Adds a base-repo workflow_run workflow to upsert artifact links onto the PR. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const prs = run.pull_requests; | ||
| if (!prs || prs.length === 0) { |
There was a problem hiding this comment.
const prs = run.pull_requests; is followed by a guard that allows prs to be falsy (if (!prs || prs.length === 0)), but the fallback later calls prs.push(...). If run.pull_requests is ever undefined/null, this will throw and prevent artifact comments from being posted. Initialize a local array (e.g., let prs = run.pull_requests ?? []) and push into that (or assign prs = pulls).
| const prs = run.pull_requests; | |
| if (!prs || prs.length === 0) { | |
| let prs = run.pull_requests ?? []; | |
| if (prs.length === 0) { |
Summary
post-artifactsjob inc-cpp.ymlsilently failed with a 403 error on all fork PRs becauseGITHUB_TOKENis read-only for fork PR workflows (GitHub security policy)artifacts.ymlusingworkflow_runevent, which runs in the base repo context with write permissions"Build"→"C/C++ CI") so the workflow actually firestonyhallett/artifacts-url-comments@v1.1.0withactions/github-script@v7pull_requestsarray is emptyTest plan
🤖 Generated with Claude Code