Github Action can't comment on PR

Question

I am using a github action that compares benchmark results and posts them as a comment on the PR. This is the actions file - https://github.com/smrpn/criterion-compare-action/blob/move_to_actions/main.js

it says -

try {
    await octokit.issues.createComment({
      ...context.repo,
      issue_number: context.payload.pull_request.number,
      body: resultsAsMarkdown,
    });
  } catch (e) {
    // If we can't post to the comment, display results here.
    // forkedRepos only have READ ONLY access on GITHUB_TOKEN
    // https://github.community/t5/GitHub-Actions/quot-Resource-not-accessible-by-integration-quot-for-adding-a/td-p/33925
    const resultsAsObject = convertToTableObject(myOutput);
    
    fs.writeFile('benchResults.txt', resultsAsObject, (err) => {
        if (err) throw err;
    });
    console.table(resultsAsObject);
    console.log("Failed to comment\n", e);
    core.debug(e);
    core.debug("Failed to comment");
  }

I'm using a another token made for this purpose(commenting the benchmark results) - BENCHMARK_TOKEN. But it does not comment when the PR is from a forked repo. This is the problem right now - https://github.com/hackerchai/casbin-rs/runs/2648902413#step:5:614

What is the fix? I want a comment by the github bot on every PR.

Answer 1

you can use the pull_request_target event to comment on pull requests opened on forks. See more details here.

Notice that this runs on the base of the fork in order to not run unsafe code. Here's an example of using the event

This is the warning from the GitHub Docs:

Warning: The pull_request_target event is granted a read/write repository token and can access secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should make sure that you do not check out, build, or run untrusted code from the pull request with this event. Additionally, any caches share the same scope as the base branch, and to help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered. For more information, see "Keeping your GitHub Actions and workflows secure: Preventing pwn requests" on the GitHub Security Lab website.