fix(ci): fix PR comment workflow not running for fork PRs#983
Conversation
- For fork PRs, GitHub deliberately empties the pull_requests array in workflow_run events for security reasons. The previous code would silently return early, leaving no comment on the PR. - Fix: fall back to searching open PRs by head_sha via the GitHub API when pull_requests is empty. - Also replace the generic run-page link with per-artifact direct download links (fetched via listWorkflowRunArtifacts), each requiring only a GitHub login on a public repo. A fallback to the run page is kept in case the artifact list is not yet available.
dosubot
Bot
added
size:XS
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
There was a problem hiding this comment.
Pull request overview
Fixes the PR comment workflow for fork-based pull requests by resolving the missing PR association in workflow_run payloads, and improves artifact download UX by linking directly to per-artifact pages when available.
Changes:
- Add fork-PR fallback PR discovery by searching for an open PR matching the workflow run’s
head_sha. - Fetch workflow run artifacts and include direct per-artifact links in the PR comment, with a run-page fallback when no artifacts are listed yet.
Comments suppressed due to low confidence (1)
.github/workflows/pr_build_debug_comment.yml:94
- This workflow posts a PR comment via
github.rest.issues.createComment, which is governed by theissues: writepermission onGITHUB_TOKEN. Since the workflow only grantspull-requests: write, the API call can be rejected with 403 depending on repo settings. Addissues: writeto the workflowpermissionsto ensure commenting works reliably.
await github.rest.issues.createComment({
issue_number: prNumber,
owner: context.repo.owner,
repo: context.repo.repo,
body: commentBody
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| const { data: artifactData } = await github.rest.actions.listWorkflowRunArtifacts({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| run_id: runId, | ||
| }); |
There was a problem hiding this comment.
github.rest.actions.listWorkflowRunArtifacts requires the workflow token to have actions: read permission. This workflow currently only grants contents: read and pull-requests: write, so the artifact lookup may fail and prevent posting any PR comment. Consider adding actions: read to permissions, and/or wrapping this call in a try/catch that falls back to the run page link when the API call is forbidden/unavailable.
| console.log('pull_requests array is empty (likely a fork PR), searching by head SHA:', headSha); | ||
| const { data: openPRs } = await github.rest.pulls.list({ | ||
| owner: context.repo.owner, | ||
| repo: context.repo.repo, | ||
| state: 'open', | ||
| per_page: 100, | ||
| }); | ||
| const matched = openPRs.find(pr => pr.head.sha === headSha); | ||
| if (!matched) { | ||
| console.log('No open pull request found for head SHA:', headSha); | ||
| return; | ||
| } | ||
| prNumber = matched.number; | ||
| console.log(`Found PR number by head SHA lookup: ${prNumber}`); |
There was a problem hiding this comment.
The fork-PR fallback lists only the first 100 open PRs and matches on pr.head.sha (current head). This can miss the correct PR if the repo has >100 open PRs, or if the PR head advanced while this workflow run was executing (the run’s head_sha may no longer equal pr.head.sha). Prefer repos.listPullRequestsAssociatedWithCommit for headSha, or paginate pulls.list and/or match by head.repo/full_name + head.ref when available.
| console.log('pull_requests array is empty (likely a fork PR), searching by head SHA:', headSha); | |
| const { data: openPRs } = await github.rest.pulls.list({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| state: 'open', | |
| per_page: 100, | |
| }); | |
| const matched = openPRs.find(pr => pr.head.sha === headSha); | |
| if (!matched) { | |
| console.log('No open pull request found for head SHA:', headSha); | |
| return; | |
| } | |
| prNumber = matched.number; | |
| console.log(`Found PR number by head SHA lookup: ${prNumber}`); | |
| console.log('pull_requests array is empty (likely a fork PR), searching for PRs associated with commit:', headSha); | |
| const { data: associatedPRs } = await github.rest.repos.listPullRequestsAssociatedWithCommit({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| commit_sha: headSha, | |
| }); | |
| const matched = associatedPRs.find(pr => pr.state === 'open'); | |
| if (!matched) { | |
| console.log('No open pull request found associated with commit:', headSha); | |
| return; | |
| } | |
| prNumber = matched.number; | |
| console.log(`Found PR number by associated commit lookup: ${prNumber}`); |
✅ E2E Test Results: PASSEDTest Run: #24403519529 Tests Executed:
✅ All e2e tests passed successfully! The TLS capture functionality is working correctly. Automated e2e test results for commit 6826da6 |
- Add missing 'actions: read' permission required by listWorkflowRunArtifacts (fixes potential 403 Forbidden error) - Replace pulls.list (capped at 100, SHA race condition) with repos.listPullRequestsAssociatedWithCommit which is exact and pagination-free for the fork-PR head SHA lookup - Wrap listWorkflowRunArtifacts call in try/catch to fall back to the run-page link on any error (403 or empty artifact list)
✅ E2E Test Results: PASSEDTest Run: #24404429866 Tests Executed:
✅ All e2e tests passed successfully! The TLS capture functionality is working correctly. Automated e2e test results for commit 7bf2bd0 |
actions/setup-go@v5 enables Go module caching by default and uses go.sum as the cache key. When setup-go ran before checkout, go.sum did not yet exist, causing: Warning: Restore cache failed: Dependencies file is not found. Supported file pattern: go.sum Fix: reorder steps so checkout (with submodules) is always first, giving setup-go an existing go.sum to hash for cache restore/save.
actions/setup-go@v5 caches Go modules using go.sum as the cache key. When setup-go ran before checkout, go.sum did not yet exist, causing: Warning: Restore cache failed: Dependencies file is not found. Fix all affected workflows with the correct order: checkout → setup-go → Install Compilers → build Changes per file: - codeql-analysis.yml: fix order + upgrade setup-go v3 → v5 - e2e.yml: move checkout to first step (was 50 lines after setup-go) - go-c-cpp.yml: fix both build-on-ubuntu2204 and build-on-ubuntu2204-arm64 jobs - release.yml: fix order + remove redundant manual actions/cache step (setup-go@v5 already handles go module caching via go.sum)
|
🔧 Debug Build Complete (PR #983) 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. This build includes debug binaries for: android/linux (arm64/amd64) |
✅ E2E Test Results: PASSEDTest Run: #24406158507 Tests Executed:
✅ All e2e tests passed successfully! The TLS capture functionality is working correctly. Automated e2e test results for commit 1047271 |
|
🔧 Debug Build Complete (PR #983) 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. This build includes debug binaries for: android/linux (arm64/amd64) |
The previous URL format /actions/runs/{runId}/artifacts/{artifactId}
is not a valid GitHub web download path and does not trigger a file
download for browser users.
The correct format that GitHub web UI uses for artifact downloads is:
https://github.com/\{owner\}/\{repo\}/suites/\{check_suite_id\}/artifacts/\{artifact_id\}
check_suite_id is already present in context.payload.workflow_run
so no extra API call is needed.
|
🔧 Debug Build Complete (PR #983) 📦 Download Links: ⏰ Files will be retained for 7 days, please download and test promptly. This build includes debug binaries for: android/linux (arm64/amd64) |
✅ E2E Test Results: PASSEDTest Run: #24436310526 Tests Executed:
✅ All e2e tests passed successfully! The TLS capture functionality is working correctly. Automated e2e test results for commit ec1ec5e |
Uh oh!
There was an error while loading. Please reload this page.