Is it possible to elevate the permissions for the default GITHUB_TOKEN in a pull_request_review workflow? I have a workflow that assigns write access to the token for the issue_comment event type, but the same workflow only has read access when triggered from a pull_request_review. The pull request originates from a fork.

name: "Prow github actions"
on:
  issue_comment:
    types: [created,edited]
  pull_request_review:
    types: [submitted,edited]
permissions:
  issues: write
  pull-requests: write
jobs:

execute:

runs-on: ubuntu-latest

steps:

- uses: carolynvs/prow-github-actions@trigger-from-review

with:

prow-commands: |

/approve

/lgtm

github-token: "${{ secrets.GITHUB_TOKEN }}"

Elevating permissions works for a pull_request_target event and since pull_request_review also runs from the base ref, and doesn’t use the code from the pull request, I hoped that it would also be safe to elevate permissions.

I can’t tell if I’m doing something wrong, there’s a bug or gap, or if I’m misunderstanding the pull_request_target event and it doesn’t actually use the base ref instead of the pr ref?