1.1.3.3 Secrets and pull requests from forks

Creating the comment will not work when someone creates a pull request from a fork. The ‘GITHUB_TOKEN’ secret is still passed, but has only read permissions, it cannot create or update anything. If that was not the case, anyone could create a pull request changing the code of the pr-comment.js script to do something malicious with your repository.

For now, I you can prevent the action from running altogether if the pull request comes from a fork by adding an if statement

# ...

jobs:
  pr_comment:
    runs-on: ubuntu-latest
    if: eventPayload.pull_request.head.repo.fork == false
    steps:
      # ...

Another alternative is to use GitHub Apps instead, which I will cover in my next blog post.