fix(ci): tolerate missing PR comment permissions

error311 · error311 · commit 9f88af63f13b · 2026-05-11T00:42:02.000-04:00
diff --git a/.github/workflows/runglass-receipt.yml b/.github/workflows/runglass-receipt.yml
@@ -8,7 +8,7 @@ on:
 permissions:
   contents: read
   issues: write
-  pull-requests: read
+  pull-requests: write
 
 env:
   CARGO_TERM_COLOR: always
@@ -40,6 +40,9 @@ jobs:
 
       - name: Comment RunGlass receipt on PR
         if: always() && github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork && hashFiles('runglass-receipt/receipt.json') != ''
-        run: runglass github comment --receipt runglass-receipt/receipt.json --auto
+        run: |
+          if ! runglass github comment --receipt runglass-receipt/receipt.json --auto; then
+            echo "::warning::RunGlass could not post a PR comment. The receipt artifact was uploaded; check workflow token permissions."
+          fi
         env:
           GITHUB_TOKEN: ${{ github.token }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,7 +5,7 @@
 - Made `cargo install runglass --locked` the primary README install path and documented local checkout installation separately.
 - Added a Linux-first platform support matrix with explicit macOS and Windows observation limitations.
 - Added a RunGlass dogfood GitHub Actions workflow that runs workspace tests through `runglass ci`, uploads the receipt artifact, and comments on pull requests when permissions allow.
-- Tightened GitHub Actions examples to avoid comment attempts on forked pull requests without write permission.
+- Tightened GitHub Actions examples to avoid comment attempts on forked pull requests without write permission and to keep receipt artifact workflows green when PR comment permissions are unavailable.
 - Documented GitHub release binary archives and SHA-256 checksum artifacts for Linux x86_64 releases, and made the release artifact workflow install Rust explicitly before building.
 - Focused the README demo section around one canonical receipt while keeping secondary demo links available.
 
diff --git a/docs/ci.md b/docs/ci.md
@@ -61,6 +61,8 @@ The PR comment API does not attach files directly. The workflow uploads `runglas
 
 RunGlass dogfoods this pattern in [`.github/workflows/runglass-receipt.yml`](../.github/workflows/runglass-receipt.yml). Pull requests run the workspace tests through `runglass ci`, upload the receipt directory, and update one RunGlass PR comment when the workflow has permission to write issue comments.
 
+If GitHub returns `Resource not accessible by integration`, the receipt artifact is still the source of truth. The PR comment token did not receive comment-write permission, commonly because the workflow is running from a fork or repository Actions settings restrict write permissions.
+
 ## GitLab CI
 
 Use the example at [`docs/examples/gitlab-runglass-receipt.yml`](examples/gitlab-runglass-receipt.yml).
diff --git a/docs/examples/github-actions-runglass-receipt.yml b/docs/examples/github-actions-runglass-receipt.yml
@@ -7,7 +7,7 @@ on:
 permissions:
   contents: read
   issues: write
-  pull-requests: read
+  pull-requests: write
 
 jobs:
   receipt:
@@ -32,6 +32,9 @@ jobs:
 
       - name: Comment RunGlass receipt on PR
         if: always() && github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork && hashFiles('runglass-receipt/receipt.json') != ''
-        run: runglass github comment --receipt runglass-receipt/receipt.json --auto
+        run: |
+          if ! runglass github comment --receipt runglass-receipt/receipt.json --auto; then
+            echo "::warning::RunGlass could not post a PR comment. The receipt artifact was uploaded; check workflow token permissions."
+          fi
         env:
           GITHUB_TOKEN: ${{ github.token }}
diff --git a/examples/ci/github-actions.yml b/examples/ci/github-actions.yml
@@ -7,7 +7,7 @@ on:
 permissions:
   contents: read
   issues: write
-  pull-requests: read
+  pull-requests: write
 
 jobs:
   receipt:
@@ -32,6 +32,9 @@ jobs:
 
       - name: Comment RunGlass receipt on PR
         if: always() && github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork && hashFiles('runglass-receipt/receipt.json') != ''
-        run: runglass github comment --receipt runglass-receipt/receipt.json --auto
+        run: |
+          if ! runglass github comment --receipt runglass-receipt/receipt.json --auto; then
+            echo "::warning::RunGlass could not post a PR comment. The receipt artifact was uploaded; check workflow token permissions."
+          fi
         env:
           GITHUB_TOKEN: ${{ github.token }}
