Skip to content

Fix benchmark workflow permissions for fork PRs#3459

Merged
EwoutH merged 1 commit intomesa:mainfrom
EwoutH:bench_test
Mar 6, 2026
Merged

Fix benchmark workflow permissions for fork PRs#3459
EwoutH merged 1 commit intomesa:mainfrom
EwoutH:bench_test

Conversation

@EwoutH
Copy link
Copy Markdown
Member

@EwoutH EwoutH commented Mar 6, 2026

Summary

Fixes the 403 "Resource not accessible by integration" error when the benchmark workflow tries to comment on PRs from forks.

Bug / Issue

After switching the benchmark workflow from pull_request_target to pull_request, the comment step fails with a 403 for fork PRs. The pull_request event restricts the GITHUB_TOKEN to read-only for forks, regardless of declared permissions. Splitting into two jobs within the same workflow doesn't help (both jobs share the same restricted token.)

Implementation

Split the single workflow into two files:

  1. benchmarks.yml: Runs on pull_request with read-only permissions. Executes the benchmarks on both main and the PR branch, then uploads the comparison output and PR number as artifacts.
  2. benchmarks-comment.yml: Triggers on workflow_run completion. Since workflow_run always runs in the base repo context, it has write permissions. Downloads the artifacts and posts the comment.

This follows GitHub's recommended pattern for workflows that need write access on fork PRs.

As a side benefit, the base64 encoding workaround for passing the comparison output is no longer needed — results are passed as plain text through artifacts.

Testing

  • Verified on a fork PR that the benchmark job completes and uploads artifacts: Test benchmark fix EwoutH/mesa#26
  • Verified that the workflow_run job picks up the artifacts and posts the comment successfully.

Additional Notes

  • The workflow_run job only runs when the benchmark workflow succeeds (conclusion == 'success').
  • If we ever want to move back to a single-workflow approach, pull_request_target would work but requires careful handling of the checkout step to avoid running untrusted code with elevated permissions.

@EwoutH
Fix benchmark workflow permissions for fork PRs
409dce6 
Split the benchmark workflow into two files to resolve the "Resource not accessible by integration" error (403) when commenting on PRs from forks.

The `pull_request` event gives a read-only token for fork PRs, so the comment step always fails. Using a separate `workflow_run` workflow for commenting runs in the base repo context, which has write permissions.

Also removes the base64 encoding workaround by passing results through artifacts directly as text files.
@EwoutH EwoutH requested a review from quaquel March 6, 2026 08:32
@EwoutH EwoutH added ci Release notes label maintenance Release notes label labels Mar 6, 2026
@EwoutH EwoutH requested review from jackiekazil March 6, 2026 10:03
@quaquel quaquel added the trigger-benchmarks Special label that triggers the benchmarking CI label Mar 6, 2026
@quaquel
Copy link
Copy Markdown
Member

quaquel commented Mar 6, 2026

I triggered the benchmarks but no result is uploaded. Not sure if this is the correct way to test this?

@EwoutH
Copy link
Copy Markdown
Member Author

EwoutH commented Mar 6, 2026

No it will only work after it's merged. I tested on my local fork:

This is a GitHub limitation by design: the workflow_run workflow is always loaded from the target branch (in our case main), not from the PR branch. This is a security measure to prevent anyone from modifying CI configuration in a PR to gain elevated permissions, which is exactly the kind of exploit that the pull_request_target to pull_request + workflow_run migration is meant to address.

That's also why @jackiekazil's #3438 seemed to work: It was still using the correct (working) config from main.

@EwoutH EwoutH merged commit 4af8e24 into mesa:main Mar 6, 2026
19 checks passed
@jackiekazil
Copy link
Copy Markdown
Member

jackiekazil commented Mar 6, 2026

Thank you @EwoutH, @quaquel

@quaquel quaquel mentioned this pull request Mar 6, 2026
Closed
1 task
@EwoutH
Copy link
Copy Markdown
Member Author

EwoutH commented Mar 6, 2026

Validated: #3461 (comment)

EwoutH added a commit that referenced this pull request Mar 15, 2026
@EwoutH
Fix benchmark workflow permissions for fork PRs (#3459)
bf1dbd2 
Split the benchmark workflow into two files to resolve the "Resource not accessible by integration" error (403) when commenting on PRs from forks.

The `pull_request` event gives a read-only token for fork PRs, so the comment step always fails. Using a separate `workflow_run` workflow for commenting runs in the base repo context, which has write permissions.

Also removes the base64 encoding workaround by passing results through artifacts directly as text files.
EwoutH added a commit that referenced this pull request Mar 15, 2026
@EwoutH
Fix benchmark workflow permissions for fork PRs (#3459)
c46c3be 
Split the benchmark workflow into two files to resolve the "Resource not accessible by integration" error (403) when commenting on PRs from forks.

The `pull_request` event gives a read-only token for fork PRs, so the comment step always fails. Using a separate `workflow_run` workflow for commenting runs in the base repo context, which has write permissions.

Also removes the base64 encoding workaround by passing results through artifacts directly as text files.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@quaquel quaquel quaquel approved these changes

@jackiekazil jackiekazil Awaiting requested review from jackiekazil

Assignees

No one assigned

Labels

ci Release notes label maintenance Release notes label trigger-benchmarks Special label that triggers the benchmarking CI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@EwoutH @quaquel @jackiekazil