mirror of
https://github.com/QwenLM/qwen-code.git
synced 2026-07-09 17:19:02 +00:00
fix(ci): use CI_BOT_PAT for precheck comment on fork PRs (#6151)
* fix(ci): use CI_BOT_PAT for precheck comment on fork PRs The precheck workflow's "Upsert/Clear manual approval comment" steps fail with HTTP 403 on fork PRs because `github.token` from `pull_request_target` via `workflow_call` lacks sufficient permissions to read/write issue comments. - Use `secrets.CI_BOT_PAT || github.token` for the comment steps - Add `secrets: inherit` to both caller workflows so the reusable workflow can access CI_BOT_PAT - Drop the `.user.login == "github-actions[bot]"` filter from the jq query since the HTML comment marker is sufficient and the posting user may differ depending on which token is used * fix(ci): scope precheck comment dedup to known bot users Narrow the jq filter to match comments from github-actions[bot], qwen-code-ci-bot, or any Bot-type user — prevents a manually posted marker from hijacking the dedup logic. * ci: pass only precheck bot token
This commit is contained in:
parent
b1c5950606
commit
4537cc3c71
3 changed files with 11 additions and 4 deletions
2
.github/workflows/qwen-code-pr-review.yml
vendored
2
.github/workflows/qwen-code-pr-review.yml
vendored
|
|
@ -68,6 +68,8 @@ jobs:
|
|||
pull-requests: 'read'
|
||||
issues: 'write'
|
||||
uses: './.github/workflows/qwen-pr-safety-precheck.yml'
|
||||
secrets:
|
||||
CI_BOT_PAT: '${{ secrets.CI_BOT_PAT }}'
|
||||
|
||||
ack-review-request:
|
||||
# KEEP IN SYNC with review-pr.if (explicit-trigger branches).
|
||||
|
|
|
|||
11
.github/workflows/qwen-pr-safety-precheck.yml
vendored
11
.github/workflows/qwen-pr-safety-precheck.yml
vendored
|
|
@ -2,6 +2,9 @@ name: 'Qwen PR Safety Precheck'
|
|||
|
||||
on:
|
||||
workflow_call:
|
||||
secrets:
|
||||
CI_BOT_PAT:
|
||||
required: false
|
||||
outputs:
|
||||
decision:
|
||||
description: 'allow_triage or manual_required'
|
||||
|
|
@ -70,7 +73,7 @@ jobs:
|
|||
- name: 'Upsert manual approval comment'
|
||||
if: "steps.assess.outputs.decision == 'manual_required'"
|
||||
env:
|
||||
GH_TOKEN: '${{ github.token }}'
|
||||
GH_TOKEN: '${{ secrets.CI_BOT_PAT || github.token }}'
|
||||
PR_NUMBER: '${{ github.event.pull_request.number }}'
|
||||
run: |-
|
||||
set -euo pipefail
|
||||
|
|
@ -80,7 +83,7 @@ jobs:
|
|||
--method GET \
|
||||
--paginate \
|
||||
-F per_page=100 \
|
||||
| jq -sr '[.[][] | select(.body | contains("<!-- qwen-pr-precheck:manual-required -->")) | select(.user.login == "github-actions[bot]")] | last | .id // empty'
|
||||
| jq -sr '[.[][] | select(.body | contains("<!-- qwen-pr-precheck:manual-required -->")) | select(.user.login == "github-actions[bot]" or .user.login == "qwen-code-ci-bot" or (.user.type == "Bot"))] | last | .id // empty'
|
||||
)"
|
||||
if [ -n "$existing_id" ]; then
|
||||
gh api \
|
||||
|
|
@ -97,7 +100,7 @@ jobs:
|
|||
- name: 'Clear manual approval comment'
|
||||
if: "steps.assess.outputs.decision == 'allow_triage'"
|
||||
env:
|
||||
GH_TOKEN: '${{ github.token }}'
|
||||
GH_TOKEN: '${{ secrets.CI_BOT_PAT || github.token }}'
|
||||
PR_NUMBER: '${{ github.event.pull_request.number }}'
|
||||
run: |-
|
||||
set -euo pipefail
|
||||
|
|
@ -107,7 +110,7 @@ jobs:
|
|||
--method GET \
|
||||
--paginate \
|
||||
-F per_page=100 \
|
||||
| jq -sr '[.[][] | select(.body | contains("<!-- qwen-pr-precheck:manual-required -->")) | select(.user.login == "github-actions[bot]")] | last | .id // empty'
|
||||
| jq -sr '[.[][] | select(.body | contains("<!-- qwen-pr-precheck:manual-required -->")) | select(.user.login == "github-actions[bot]" or .user.login == "qwen-code-ci-bot" or (.user.type == "Bot"))] | last | .id // empty'
|
||||
)"
|
||||
if [ -n "$existing_id" ]; then
|
||||
gh api \
|
||||
|
|
|
|||
2
.github/workflows/qwen-triage.yml
vendored
2
.github/workflows/qwen-triage.yml
vendored
|
|
@ -34,6 +34,8 @@ jobs:
|
|||
github.event_name == 'pull_request_target' &&
|
||||
github.event.pull_request.head.repo.full_name != github.repository
|
||||
uses: './.github/workflows/qwen-pr-safety-precheck.yml'
|
||||
secrets:
|
||||
CI_BOT_PAT: '${{ secrets.CI_BOT_PAT }}'
|
||||
|
||||
authorize:
|
||||
needs: ['precheck-pr']
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue