Commenting on a PR originating from a forked repo

Hello,

We want every PR to run a rust static analyzer and comment on the PR if it finds anything wrong:

https://github.com/libra/libra/blob/master/.github/workflows/rust-mirai.yml#L81

Unfortunately it seems like the GITHUB_TOKEN used is the one from the forked repo, which doesn’t allow to post comments on the PR.

I thought for a few seconds about using a bot account token for this, but same problem: either it’s only set in the secrets of the main repo, and PR won’t be able to use it, or it is in clear and everyone can abuse it.

How can we fix this? Thanks!

PS: it seems like this is documented here

The permissions for the GITHUB_TOKEN in forked repositories is read-only

Currently, GitHhub does not support the forked repository to use secrets on the main repository. And we also did not find any available alternative workaround.

We should force this problem in some way, for example with this tweet. After more than half of year we still haven’t solution. One of the reasons can be “not high priority / not many feature requests”, so we need to how important this feature for open source

Just curious, would it be enough if they fixed Inconsistent "on: issue" behaviour properly?

I stumbled upon it when trying to do something similar and don’t really mind if the workflow were to run master.