I want to raise an issue about the GITHUB_TOKEN permissions for forked repositories again; it was discussed already here and here, but we at @actions-rs are having problems with it right now and there is still no reasonable solution exist.
I understand why forked repos has the read-only permissions, but it is effectively blocks any linters, checkers and audit tools to be implemented as a Github Actions; for example, it's disallowed to post any data to the Checks API, therefore, it is impossible to create a linter which will validate pull requests from the forked repositories.
Considering how suitable Github Actions are for this kind of stuff, it would be nice to address this problem somehow (by executing Action from the base repository, maybe?).
Even I have raised the same issue before here, and I haven't got any response yet.
Like @svartalf mentioned, Since GITHUB_TOKEN has only read-only access for the forked repo, it is effectively BLOCKING to use any PR Labellers, Linters, unit tests, Audit tools as a GitHub Action.
Even the native GitHub Action Labeller fails and doesn't work for the forked repos and is been discussed here. The coveralls GitHub Action also doesn't post a PR comment for the PR from the forked repositories. Hence now, with this restriction, it is impossible to develop a action like labeller which can validate the Pull Requests coming from the forked repositories..
The same issue is been put up in multiple occasions by different awesome developers in this forum and here is the list:
Please kindly take it as HIGH PRIORITY as it is BLOCKING to use any audit tools actions like Labeller, Linters, code coverage actions for the forked repos and also BLOCKING the developers to develop any of these kind of actions . The GITHUB_TOKEN should at least have read/write access for the Pull_Request_comment as this is not critical and won't have any write access to the content of the base repository. Since, most of the contributions for the open-source project comes from the forked repo, it would be really nice to address this issue somehow.
I think that is a very good point.
We are also facing the same problem in all our open-source projects as we are unable to use any of the auditing actions like Labeller or code coverage and unit testing actions because of the restrictions imposed on the actions for the PR coming from the forked repo.
This is a PRIMARY use case and it is stopping us to switch to using these actions for automating the workflow.
If at least the Labeller would be authorized for the PR coming from the forked Repository this would already help to cover some of our use cases.
Thank you for the support of this feature request. I am glad others are also facing the same issue. It would be really nice to get a clarification from the GitHub side.
This is exactly the same issue which we are facing too. All the Pull Request Verification actions like Labeller , coveralls need at best the read/write access for the Pull_Request_Comment. We currently stalled the development of our PR workflow automation action due to this constraint for the Pull Request coming from the forks and this is the only Use-Case for us.