Creating the comment will not work when someone creates a pull request from a
fork. The ‘GITHUB_TOKEN’ secret is still passed, but has only read permissions,
it cannot create or update anything. If that was not the case, anyone could
create a pull request changing the code of the
pr-comment.js script to do
something malicious with your repository.
For now, I you can prevent the action from running altogether if the pull request comes from a fork by adding an if statement
# ... jobs: pr_comment: runs-on: ubuntu-latest if: eventPayload.pull_request.head.repo.fork == false steps: # ...
Another alternative is to use GitHub Apps instead, which I will cover in my next blog post.