Labels not applied on PRs FROM forks

[gregsdennis]

This is a bit related to #12 and #36, except that it's the other way around.

I have a repo (https://github.com/gregsdennis/json-everything), and the labeler always fails on PRs submitted by others (example).

I expect that since the PR is in the primary repo, not the fork, it's should be getting my token (which works on all of my PRs) and running the action with that.

[Blooym]

Can replicate this issue, all PRs coming into my repository from forks fail every time with HttpError: Resource not accessible by integration

[Hans5958]

Here's a solution: For these cases, pull_request_target should be used instead of pull_request.

[MaksimZhukov]

Hello @gregsdennis ! As I see you are using the pull_request event in your workflow with the GITHUB_TOKEN secret. For workflows that are triggered by the pull_request event, the GITHUB_TOKEN has read-only permissions in pull requests from forked repositories. This is the reason why the error occurs.

The pull_request_target event was introduced to enable workflows to label PRs. For workflows that are triggered by this event, the GITHUB_TOKEN is granted read/write repository permission even when they are triggered from a fork. To avoid the error, please update your workflow to use the pull_request_target event (see an example in the README file).

Also, please read the GitHub documentation to be aware of the difference between these events, as well as the pros and cons of each:

1. Keeping your GitHub Actions and workflows secure Part 1
2. The pull_request event
3. The pull_request_target event

I am closing the issue. Please contact us if you have any questions. Thanks!

[gregsdennis]

Sorry. I'm finally getting around to updating this as I finally have an external PR.

The change to pull_request_target isn't working for me. I even added the explicit permissions as you have in the README.

[gregsdennis]

Nevermind. That example was a rebasing issue. All is well. Thanks for the pointers.