Action fails on PRs that target another repo

[ocefpaf]

For some reason I get a 403 when using this GH action. See
https://github.com/oceanhackweek/oceanhackweek.github.io/pull/51/checks?check_run_id=525775319#step:4:307

I'm not sure what I'm doing wrong. I thought that GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} was enough. Am I missing something?

[David-Byrne]

Ah, this is a problem...

The GITHUB_TOKEN is passed correctly to the action and included in the request (you can see Authorization: token *** as a header in the CURL request in the logs). You're also getting a HTTP 403 back from Github and not a 401, so the token is being recognised.

The issue, as far as I can tell, is because this PR was opened from a forked repo. Apparently, Github Actions tiggered from a forked repo have read-only access to the upstream repo. The token used to run the action belongs to ocefpaf/oceanhackweek.github.io, which doesn't have write permissions to oceanhackweek/oceanhackweek.github.io, even to comment on a PR opened by that repo.

I've never tried use jekyll-diff-action from a forked repo, so this is the first I'm seeing of the issue. It looks like this isn't the only project struggling with this limitation though, it's also affecting danger-js and Lukasz Gornicki. There's an active discussion about the issue on this thread, with a Github staff member confirmed they're investigating and working on it, so hopefully a long term fix is on the way.

A work around for now would be to only use the push trigger and not pull_request trigger for this workflow. Thanks for letting me know about the issue though and sorry it's not a perfect fix!

[ocefpaf]

Thanks! I should know that b/c I already run into it before.

A work around for now would be to only use the push trigger and not pull_request trigger for this workflow. Thanks for letting me know about the issue though and sorry it's not a perfect fix!

That works for me.