Comfy-Org/ComfyUI_frontend
1
0
Fork 0
mirror of https://github.com/Comfy-Org/ComfyUI_frontend.git synced 2026-03-08 06:30:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
493b1e42aa2c115bdf0f2d5978f0db6ea61f161a
ComfyUI_frontend/.github/AGENTS.md
Christian Byrne 6689a1b14e fix: split perf report workflow for fork PR support (#9382) 
## Summary

Perf report workflow fails on fork PRs because `GITHUB_TOKEN` is
read-only for forks, causing "Resource not accessible by integration" on
the PR comment step.

## Changes

- **What**: Split `ci-perf-report.yaml` into a data-collection workflow
+ a `workflow_run`-triggered reporter (`pr-perf-report.yaml`), matching
the existing `ci-size-data`/`pr-size-report` pattern. Added fork PR
permissions guidance to `.github/AGENTS.md`.
- **ci-perf-report.yaml**: Removed the `report` job and `pull-requests:
write` permission. Added PR metadata (number + base branch) artifact
upload.
- **pr-perf-report.yaml** (new): Triggered by `workflow_run` on the perf
workflow. Downloads metrics + metadata artifacts, generates report,
posts PR comment with write permissions from the default-branch context.

## Review Focus

- The two-workflow split follows the same pattern as `ci-size-data.yaml`
→ `pr-size-report.yaml`, which already works for fork PRs.
- The `workflow_run` trigger runs in the base repo context per [GitHub
Security Lab
guidance](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/),
so it safely has write permissions even for fork PRs.
- AGENTS.md guidance documents this pattern to prevent recurrence.

Fixes the failure seen in
https://github.com/Comfy-Org/ComfyUI_frontend/actions/runs/22684230751/job/65763595989?pr=9380

┆Issue is synchronized with this [Notion
page](https://www.notion.so/PR-9382-fix-split-perf-report-workflow-for-fork-PR-support-3196d73d365081b29b35ed354e7789e2)
by [Unito](https://www.unito.io)
2026-03-04 22:09:31 -08:00

1021 B
Raw Blame History

PR Review Context

Context for automated PR review system.

Review Scope

This automated review performs comprehensive analysis:

  • Architecture and design patterns
  • Security vulnerabilities
  • Performance implications
  • Code quality and maintainability
  • Integration concerns

For implementation details, see .claude/commands/comprehensive-pr-review.md.

GitHub Actions: Fork PR Permissions

Fork PRs get a read-only GITHUB_TOKEN — no PR comments, no secret access, no pushing.

Any workflow that needs write access must use the two-workflow split: a pull_request-triggered ci-*.yaml uploads artifacts (including PR metadata), then a workflow_run-triggered pr-*.yaml downloads them and posts comments with write permissions. See ci-size-datapr-size-report or ci-perf-reportpr-perf-report. Use .github/actions/post-pr-report-comment for the comment step.

Never write PR comments directly from pull_request workflows or use pull_request_target to run untrusted code.

Reference in New Issue View Git Blame Copy Permalink