Currently, this action setup the way documented in the recipes will only work for people pushing branches in the source repo.
If someone forks the repo and opens a PR, the action will fail since it will have a read only github token (can't make PR comments).
This can be solved by using the pull_request_target trigger, but that means the workflow will run in the context of the source repo (security risk).
i think if we ensure the jobs don't have such permissions, and only the diff job has the write permission, things will be ok
Currently, this action setup the way documented in the recipes will only work for people pushing branches in the source repo.
If someone forks the repo and opens a PR, the action will fail since it will have a read only github token (can't make PR comments).
This can be solved by using the
pull_request_targettrigger, but that means the workflow will run in the context of the source repo (security risk).i think if we ensure the jobs don't have such permissions, and only the diff job has the write permission, things will be ok