fix(ci): use CI_BOT_PAT for precheck comment on fork PRs (#6151)
Some checks are pending
E2E Tests / E2E Test (Linux) - sandbox:docker (push) Waiting to run
E2E Tests / E2E Test (Linux) - sandbox:none (push) Waiting to run
E2E Tests / E2E Test - macOS (push) Waiting to run

* fix(ci): use CI_BOT_PAT for precheck comment on fork PRs

The precheck workflow's "Upsert/Clear manual approval comment" steps
fail with HTTP 403 on fork PRs because `github.token` from
`pull_request_target` via `workflow_call` lacks sufficient permissions
to read/write issue comments.

- Use `secrets.CI_BOT_PAT || github.token` for the comment steps
- Add `secrets: inherit` to both caller workflows so the reusable
  workflow can access CI_BOT_PAT
- Drop the `.user.login == "github-actions[bot]"` filter from the jq
  query since the HTML comment marker is sufficient and the posting
  user may differ depending on which token is used

* fix(ci): scope precheck comment dedup to known bot users

Narrow the jq filter to match comments from github-actions[bot],
qwen-code-ci-bot, or any Bot-type user — prevents a manually posted
marker from hijacking the dedup logic.

* ci: pass only precheck bot token
This commit is contained in:
易良 2026-07-02 11:04:37 +08:00 committed by GitHub
parent b1c5950606
commit 4537cc3c71
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 11 additions and 4 deletions

View file

@ -68,6 +68,8 @@ jobs:
pull-requests: 'read'
issues: 'write'
uses: './.github/workflows/qwen-pr-safety-precheck.yml'
secrets:
CI_BOT_PAT: '${{ secrets.CI_BOT_PAT }}'
ack-review-request:
# KEEP IN SYNC with review-pr.if (explicit-trigger branches).

View file

@ -2,6 +2,9 @@ name: 'Qwen PR Safety Precheck'
on:
workflow_call:
secrets:
CI_BOT_PAT:
required: false
outputs:
decision:
description: 'allow_triage or manual_required'
@ -70,7 +73,7 @@ jobs:
- name: 'Upsert manual approval comment'
if: "steps.assess.outputs.decision == 'manual_required'"
env:
GH_TOKEN: '${{ github.token }}'
GH_TOKEN: '${{ secrets.CI_BOT_PAT || github.token }}'
PR_NUMBER: '${{ github.event.pull_request.number }}'
run: |-
set -euo pipefail
@ -80,7 +83,7 @@ jobs:
--method GET \
--paginate \
-F per_page=100 \
| jq -sr '[.[][] | select(.body | contains("<!-- qwen-pr-precheck:manual-required -->")) | select(.user.login == "github-actions[bot]")] | last | .id // empty'
| jq -sr '[.[][] | select(.body | contains("<!-- qwen-pr-precheck:manual-required -->")) | select(.user.login == "github-actions[bot]" or .user.login == "qwen-code-ci-bot" or (.user.type == "Bot"))] | last | .id // empty'
)"
if [ -n "$existing_id" ]; then
gh api \
@ -97,7 +100,7 @@ jobs:
- name: 'Clear manual approval comment'
if: "steps.assess.outputs.decision == 'allow_triage'"
env:
GH_TOKEN: '${{ github.token }}'
GH_TOKEN: '${{ secrets.CI_BOT_PAT || github.token }}'
PR_NUMBER: '${{ github.event.pull_request.number }}'
run: |-
set -euo pipefail
@ -107,7 +110,7 @@ jobs:
--method GET \
--paginate \
-F per_page=100 \
| jq -sr '[.[][] | select(.body | contains("<!-- qwen-pr-precheck:manual-required -->")) | select(.user.login == "github-actions[bot]")] | last | .id // empty'
| jq -sr '[.[][] | select(.body | contains("<!-- qwen-pr-precheck:manual-required -->")) | select(.user.login == "github-actions[bot]" or .user.login == "qwen-code-ci-bot" or (.user.type == "Bot"))] | last | .id // empty'
)"
if [ -n "$existing_id" ]; then
gh api \

View file

@ -34,6 +34,8 @@ jobs:
github.event_name == 'pull_request_target' &&
github.event.pull_request.head.repo.full_name != github.repository
uses: './.github/workflows/qwen-pr-safety-precheck.yml'
secrets:
CI_BOT_PAT: '${{ secrets.CI_BOT_PAT }}'
authorize:
needs: ['precheck-pr']