Skip to content

ci(test): fix coverage comment for fork PRs via workflow_run split#64

Merged
benner merged 1 commit into
mainfrom
ci/fix-fork-pr-coverage-comment
May 1, 2026
Merged

ci(test): fix coverage comment for fork PRs via workflow_run split#64
benner merged 1 commit into
mainfrom
ci/fix-fork-pr-coverage-comment

Conversation

@benner
Copy link
Copy Markdown
Owner

@benner benner commented May 1, 2026

Fork PRs get a read-only token on pull_request, so the coverage comment
was silently dropped. Split into two workflows following the GitHub
Security Lab secure pattern: test.yml saves coverage.xml and the PR
number as an artifact; coverage-comment.yml triggers on workflow_run
with pull-requests: write to download the artifact and post the comment.

https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

@benner
ci(test): fix coverage comment for fork PRs via workflow_run split
a3c75c6 
Fork PRs get a read-only token on pull_request, so the coverage comment
was silently dropped. Split into two workflows following the GitHub
Security Lab secure pattern: test.yml saves coverage.xml and the PR
number as an artifact; coverage-comment.yml triggers on workflow_run
with pull-requests: write to download the artifact and post the comment.

https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
Signed-off-by: Nerijus Bendžiūnas <nerijus.bendziunas@gmail.com>
@benner benner marked this pull request as ready for review May 1, 2026 03:40
@benner benner merged commit 84d314c into main May 1, 2026
4 checks passed
@benner benner deleted the ci/fix-fork-pr-coverage-comment branch May 1, 2026 03:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@benner