Prettier diff as comment on PRs about al-folio HOT 4 CLOSED

I was just looking at the permissions section of actions-comment-pull-request, noticed the following:

Note that, if the PR comes from a fork, it will have only read permission despite the permissions given in the action for the pull_request event. In this case, you may use the pull_request_target event. With this event, permissions can be given without issue (the difference is that it will execute the action from the target branch and not from the origin PR).

in other words, if anyone besides me opens a PR, the action won't not have the write permission and will fail. most of the contributions are coming from forks, so this is suboptimal. do you know if there's a workaround?

from al-folio.

I thought that the solution would be creating a token with permission to write PRs and pass it to actions-comment-pull-request, but now I don't think it solves it.

In their repo they recommend using pull_request_target as a way of bypassing this limitation. However GitHub itself doesn't recommend this as it could open holes for security breaches. At least they don't recommend building and writing to PR in the same action with pull_request_target. That's why I splitted it into 2. But the thing is, I don't know how to make the second one only run if the prettier check fails AND pull_request_target triggers, so that we could have the permissions needed without doing build on this workflow.

from al-folio.

Just opened a question on stackoverflow. Let's see if a solution comes up.

from al-folio.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from al-folio.