Skip to content

Book Preview PR workflow fails on fork PRs when posting preview comment #3685

Open
Open
Book Preview PR workflow fails on fork PRs when posting preview comment#3685
@thepastaclaw

Description

@thepastaclaw
thepastaclaw
opened on May 19, 2026

Summary

The Book Preview (PR) workflow can build the preview successfully but still fail on fork-origin pull requests when the final actions/github-script step tries to create/update a PR comment.

Observed on dashpay/platform#3092:

Failure mode

The workflow calls github.rest.issues.createComment / updateComment from a pull_request run:

RequestError [HttpError]: Resource not accessible by integration
status: 403
x-accepted-github-permissions: issues=write; pull_requests=write

Current upstream/v3.1-dev:.github/workflows/book-preview.yml grants:

permissions:
  contents: read
  pull-requests: write

Two problems combine here:

  1. Issue comments require issues: write, not just pull-requests: write.
  2. For PRs from forks, the pull_request workflow token is read-only anyway, so the comment step cannot be relied on even if workflow permissions are adjusted.

Suggested fix

Do not fail the preview build when the comment cannot be posted. Options:

  • guard the comment step to same-repo PRs only, or
  • catch 403s in the github-script and log a warning, or
  • mark only the comment step continue-on-error: true.

Avoid switching this build workflow directly to pull_request_target with write credentials while checking out/building untrusted PR code.

Impact

Any fork PR touching book/** can get a red Build book preview check even though mdbook build book succeeds.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions