Skip to content

fix: skip pr description updates for fork pull requests#4133

Merged
astandrik merged 1 commit into
mainfrom
codex/skip-fork-pr-description-update
Jul 15, 2026
Merged

fix: skip pr description updates for fork pull requests#4133
astandrik merged 1 commit into
mainfrom
codex/skip-fork-pr-description-update

Conversation

@astandrik

@astandrik astandrik commented Jul 15, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • skip Update PR Description for pull requests opened from forks
  • preserve the existing behavior for branches in ydb-platform/ydb-embedded-ui

Root cause

Fork-based pull_request workflows receive a read-only GITHUB_TOKEN, even when the job declares pull-requests: write. The description update therefore fails with 403 Resource not accessible by integration, as observed in #4130.

Verification

  • parsed .github/workflows/quality.yml with Ruby/Psych
  • compared the branch against main: one commit, one file, one condition changed

CI Results

Test Status: ⚠️ FLAKY

📊 Full Report

Total Passed Failed Flaky Skipped
768 764 0 4 0

😟 No changes in tests. 😕

Bundle Size: ✅

Current: 64.43 MB | Main: 64.43 MB
Diff: 0.00 KB (0.00%)

✅ Bundle size unchanged.

ℹ️ CI Information
  • Test recordings for failed tests are available in the full report.
  • Bundle size is measured for the entire 'dist' directory.
  • 📊 indicates links to detailed reports.
  • 🔺 indicates increase, 🔽 decrease, and ✅ no change in bundle size.

Greptile Summary

This PR fixes a 403 Resource not accessible by integration error that occurs when fork-based pull requests try to update the PR description via the update_pr job, which requires write access that fork workflows do not receive.

  • Adds github.event.pull_request.head.repo.full_name == github.repository to the job-level if condition, which is the canonical GitHub Actions pattern for skipping jobs that need write permissions on fork PRs.
  • The existing behavior for branches originating from ydb-platform/ydb-embedded-ui is fully preserved.

Confidence Score: 5/5

Safe to merge — the single-line addition correctly guards the write-permission job against fork PRs without touching any other workflow logic.

The change is one condition added to a job-level if expression. The guard github.event.pull_request.head.repo.full_name == github.repository is the standard pattern used across the GitHub Actions ecosystem to distinguish same-repo branches from forks. All other jobs in the workflow are unaffected, and the PR description update continues to work normally for first-party branches.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/quality.yml Adds a fork-guard condition to the update_pr job so it only runs on PRs from the same repository, preventing 403 errors on fork PRs.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[pull_request event] --> B{github.event_name == 'pull_request'?}
    B -- No --> Z[Skip update_pr job]
    B -- Yes --> C{head.repo.full_name == github.repository?}
    C -- No\nfork PR --> D[Skip update_pr job\navoids 403 on read-only token]
    C -- Yes\nsame repo --> E[Run update_pr job\nwrite token available]
    E --> F[Update PR description]
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[pull_request event] --> B{github.event_name == 'pull_request'?}
    B -- No --> Z[Skip update_pr job]
    B -- Yes --> C{head.repo.full_name == github.repository?}
    C -- No\nfork PR --> D[Skip update_pr job\navoids 403 on read-only token]
    C -- Yes\nsame repo --> E[Run update_pr job\nwrite token available]
    E --> F[Update PR description]
Loading

Reviews (1): Last reviewed commit: "fix: skip pr description update for fork..." | Re-trigger Greptile

@astandrik
astandrik marked this pull request as ready for review July 15, 2026 18:24
Copilot AI review requested due to automatic review settings July 15, 2026 18:24
@astandrik
astandrik merged commit 14700dd into main Jul 15, 2026
20 checks passed
@astandrik
astandrik deleted the codex/skip-fork-pr-description-update branch July 15, 2026 18:24

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR prevents the “Update PR Description” job in the Quality Checks workflow from running on pull requests opened from forks, avoiding the known GITHUB_TOKEN permission limitation that causes 403 Resource not accessible by integration. It preserves existing behavior for PRs opened from branches within ydb-platform/ydb-embedded-ui.

Changes:

  • Gate the update_pr job so it only runs for pull_request events where the PR head repository matches the base repository (github.event.pull_request.head.repo.full_name == github.repository).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants