We want every PR to run a rust static analyzer and comment on the PR if it finds anything wrong:
Unfortunately it seems like the GITHUB_TOKEN used is the one from the forked repo, which doesn’t allow to post comments on the PR.
I thought for a few seconds about using a bot account token for this, but same problem: either it’s only set in the secrets of the main repo, and PR won’t be able to use it, or it is in clear and everyone can abuse it.
How can we fix this? Thanks!
PS: it seems like this is documented here
The permissions for the GITHUB_TOKEN in forked repositories is read-only