Thanks! Been really hoping to avoid using a PAT because that widens the attack possibilities with it significantly rather than reducing it. And just setting the issues to write permissions works fine when I make the PR. But any external party still gets blocked, currently attempting the route as described here: "Error: Resource not accessible by integration" when using Dependabot · Issue #298 · marocchino/sticky-pull-request-comment · GitHub

Still feels as way to much work for something that should be handled more securely by the platform. Right now having to jump through hoops makes it to easy to implement something insecurely.

Btw, I’m shocked to see anyone using actions/checkout@v1 at this point.

  <a href="https://github.com/actions/checkout/tree/releases/v1" target="_blank" rel="noopener nofollow ugc">github.com</a>

actions/checkout

releases/v1

Action for checking out a repo. Contribute to actions/checkout development by creating an account on GitHub.

v1 has been dead since:

  <a href="https://github.com/actions/checkout/commit/0b496e91ec7ae4428c3ed2eeb4c3a40df431f2cc" target="_blank" rel="noopener nofollow ugc">github.com/actions/checkout</a>

<div class="github-info">
  <div class="date">
    committed <span class="discourse-local-date" data-format="ll" data-date="2019-10-25" data-time="14:52:59" data-timezone="UTC">02:52PM - 25 Oct 19 UTC</span>
  </div>

  <div class="user">
    <a href="https://github.com/TingluoHuang" target="_blank" rel="noopener nofollow ugc">
      <img alt="TingluoHuang" src="https://user-images.githubusercontent.com/2119212/181099034-45ce1c49-c41a-43c6-998b-0f75fcad50fb.png" class="onebox-avatar-inline" width="20" height="20">
      TingluoHuang
    </a>
  </div>

  <div class="lines" title="changed 3 files with 54 additions and 7 deletions">
    <a href="https://github.com/actions/checkout/commit/0b496e91ec7ae4428c3ed2eeb4c3a40df431f2cc" target="_blank" rel="noopener nofollow ugc">
      <span class="added">+54</span>
      <span class="removed">-7</span>
    </a>
  </div>
</div>

Why? That commit is included in the v1 tag, I’m rather shocked that you didn’t notice that as it’s right there when you open the page:

image811×418 22 KB

Because v2 was a major change from v1; v1 is clearly not getting updates. So, unless there’s a specific reason to use v1, one really shouldn’t.

  <a href="https://github.com/actions/checkout/releases/tag/v2.0.0" target="_blank" rel="noopener nofollow ugc">GitHub</a>

Release v2.0.0 · actions/checkout

Improved fetch performance

The default behavior now fetches only the commit being checked-out

Script authenticated git commands

Persists the input token in the local git config
Enables your scr...

Ow absolutely, most of my workflows (that I haven’t forgotten to update) are running on v2, especially ones with big repositories. However, that specific action I’ve build has a very specific git use case that I’ve been unable to get working on v2, so yeah it uses v1 because that just works.

I should note that while commenting requires permissions, if all you want is to provide a report, there’s a new feature called a job summary:

  <a href="https://github.blog/2022-05-09-supercharging-github-actions-with-job-summaries/" target="_blank" rel="noopener" title="04:00PM - 09 May 2022">The GitHub Blog – 9 May 22</a>

Supercharging GitHub Actions with Job Summaries | The GitHub Blog

You can now output and group custom Markdown content on the Actions run summary page.

Est. reading time: 3 minutes

… and it doesn’t require additional permissions.

Does it support updating the same summary if you push again to the same PR?

Summaries are assigned to jobs, so each job gets its own summary.

Roughly it ends up being a non-issue.

Note: I haven’t deployed this feature (for various reasons). I might be able to in June or July.

Also still need to check it out, but if only the latest summary is shown on the PR page it could work. Will see if I can have a try at this soon

I believe they’re basically only reachable via the ✅/❌ for the commit or the summary box at the bottom of the PR.