From 4537cc3c71b22411cd978ae4e8e40580f620ce0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=98=93=E8=89=AF?= <1204183885@qq.com> Date: Thu, 2 Jul 2026 11:04:37 +0800 Subject: [PATCH] fix(ci): use CI_BOT_PAT for precheck comment on fork PRs (#6151) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix(ci): use CI_BOT_PAT for precheck comment on fork PRs The precheck workflow's "Upsert/Clear manual approval comment" steps fail with HTTP 403 on fork PRs because `github.token` from `pull_request_target` via `workflow_call` lacks sufficient permissions to read/write issue comments. - Use `secrets.CI_BOT_PAT || github.token` for the comment steps - Add `secrets: inherit` to both caller workflows so the reusable workflow can access CI_BOT_PAT - Drop the `.user.login == "github-actions[bot]"` filter from the jq query since the HTML comment marker is sufficient and the posting user may differ depending on which token is used * fix(ci): scope precheck comment dedup to known bot users Narrow the jq filter to match comments from github-actions[bot], qwen-code-ci-bot, or any Bot-type user — prevents a manually posted marker from hijacking the dedup logic. * ci: pass only precheck bot token --- .github/workflows/qwen-code-pr-review.yml | 2 ++ .github/workflows/qwen-pr-safety-precheck.yml | 11 +++++++---- .github/workflows/qwen-triage.yml | 2 ++ 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/qwen-code-pr-review.yml b/.github/workflows/qwen-code-pr-review.yml index 4c307c2254..fa788e1265 100644 --- a/.github/workflows/qwen-code-pr-review.yml +++ b/.github/workflows/qwen-code-pr-review.yml @@ -68,6 +68,8 @@ jobs: pull-requests: 'read' issues: 'write' uses: './.github/workflows/qwen-pr-safety-precheck.yml' + secrets: + CI_BOT_PAT: '${{ secrets.CI_BOT_PAT }}' ack-review-request: # KEEP IN SYNC with review-pr.if (explicit-trigger branches). diff --git a/.github/workflows/qwen-pr-safety-precheck.yml b/.github/workflows/qwen-pr-safety-precheck.yml index 3e73b6b872..609bc89445 100644 --- a/.github/workflows/qwen-pr-safety-precheck.yml +++ b/.github/workflows/qwen-pr-safety-precheck.yml @@ -2,6 +2,9 @@ name: 'Qwen PR Safety Precheck' on: workflow_call: + secrets: + CI_BOT_PAT: + required: false outputs: decision: description: 'allow_triage or manual_required' @@ -70,7 +73,7 @@ jobs: - name: 'Upsert manual approval comment' if: "steps.assess.outputs.decision == 'manual_required'" env: - GH_TOKEN: '${{ github.token }}' + GH_TOKEN: '${{ secrets.CI_BOT_PAT || github.token }}' PR_NUMBER: '${{ github.event.pull_request.number }}' run: |- set -euo pipefail @@ -80,7 +83,7 @@ jobs: --method GET \ --paginate \ -F per_page=100 \ - | jq -sr '[.[][] | select(.body | contains("")) | select(.user.login == "github-actions[bot]")] | last | .id // empty' + | jq -sr '[.[][] | select(.body | contains("")) | select(.user.login == "github-actions[bot]" or .user.login == "qwen-code-ci-bot" or (.user.type == "Bot"))] | last | .id // empty' )" if [ -n "$existing_id" ]; then gh api \ @@ -97,7 +100,7 @@ jobs: - name: 'Clear manual approval comment' if: "steps.assess.outputs.decision == 'allow_triage'" env: - GH_TOKEN: '${{ github.token }}' + GH_TOKEN: '${{ secrets.CI_BOT_PAT || github.token }}' PR_NUMBER: '${{ github.event.pull_request.number }}' run: |- set -euo pipefail @@ -107,7 +110,7 @@ jobs: --method GET \ --paginate \ -F per_page=100 \ - | jq -sr '[.[][] | select(.body | contains("")) | select(.user.login == "github-actions[bot]")] | last | .id // empty' + | jq -sr '[.[][] | select(.body | contains("")) | select(.user.login == "github-actions[bot]" or .user.login == "qwen-code-ci-bot" or (.user.type == "Bot"))] | last | .id // empty' )" if [ -n "$existing_id" ]; then gh api \ diff --git a/.github/workflows/qwen-triage.yml b/.github/workflows/qwen-triage.yml index 4f3ad2a348..998ec39842 100644 --- a/.github/workflows/qwen-triage.yml +++ b/.github/workflows/qwen-triage.yml @@ -34,6 +34,8 @@ jobs: github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository uses: './.github/workflows/qwen-pr-safety-precheck.yml' + secrets: + CI_BOT_PAT: '${{ secrets.CI_BOT_PAT }}' authorize: needs: ['precheck-pr']