Skip to content

bugfix: update permissions and improve error handling in PR comment workflow #853

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 12, 2025
Merged

bugfix: update permissions and improve error handling in PR comment workflow #853

merged 1 commit into from
Oct 12, 2025

Conversation

cfc4n
Copy link
Member

@cfc4n cfc4n commented Oct 12, 2025
edited
Loading

This pull request updates the pr_build_debug.yml GitHub Actions workflow to improve security and reliability. The most important changes are:

Permissions and Security:

  • Changed the contents permission from write to read and added actions: read to limit the workflow’s access scope, following the principle of least privilege.

Workflow Reliability and Correctness:

  • Added a conditional to the "Comment PR with Download Links" job so it only runs for pull requests from the same repository, preventing issues with forks.
  • Explicitly set the github-token input for the actions/github-script step to ensure proper authentication.
  • Wrapped the comment creation in a try/catch block to log success or failure, improving error handling and debugging information.

fix: #852

@cfc4n cfc4n requested a review from Copilot October 12, 2025 09:33
@cfc4n cfc4n self-assigned this Oct 12, 2025
@cfc4n cfc4n linked an issue Oct 12, 2025 that may be closed by this pull request
Actions: 403 Resource not accessible by integration when posting PR comment via actions/github-script@v7 #852
Closed
@dosubot dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Oct 12, 2025
Copilot
Copilot AI reviewed Oct 12, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR improves the security and reliability of the GitHub Actions workflow for commenting on pull requests with debug build artifacts. It implements the principle of least privilege by reducing permissions and adds proper error handling.

  • Reduced workflow permissions from contents: write to contents: read and added actions: read
  • Added conditional check to prevent the comment job from running on forked PRs
  • Improved error handling with try/catch block and explicit token configuration

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@dosubot dosubot bot added the 🐞 bug Something isn't working label Oct 12, 2025
@github-actions GitHub Actions
Copy link

🔧 Debug Build Complete (PR 853, RunID 18442172118)

📦 Download Links:

⏰ Files will be retained for 7 days, please download and test promptly.

@cfc4n cfc4n merged commit 7a5029d into master Oct 12, 2025
10 checks passed
@cfc4n cfc4n deleted the bugfix/workflow_post_comment branch October 12, 2025 09:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@cfc4n cfc4n

Labels

🐞 bug Something isn't working size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Actions: 403 Resource not accessible by integration when posting PR comment via actions/github-script@v7

1 participant

@cfc4n