mirror of
https://github.com/Comfy-Org/ComfyUI_frontend.git
synced 2026-03-08 06:30:04 +00:00
6689a1b14e
## Summary Perf report workflow fails on fork PRs because `GITHUB_TOKEN` is read-only for forks, causing "Resource not accessible by integration" on the PR comment step. ## Changes - **What**: Split `ci-perf-report.yaml` into a data-collection workflow + a `workflow_run`-triggered reporter (`pr-perf-report.yaml`), matching the existing `ci-size-data`/`pr-size-report` pattern. Added fork PR permissions guidance to `.github/AGENTS.md`. - **ci-perf-report.yaml**: Removed the `report` job and `pull-requests: write` permission. Added PR metadata (number + base branch) artifact upload. - **pr-perf-report.yaml** (new): Triggered by `workflow_run` on the perf workflow. Downloads metrics + metadata artifacts, generates report, posts PR comment with write permissions from the default-branch context. ## Review Focus - The two-workflow split follows the same pattern as `ci-size-data.yaml` → `pr-size-report.yaml`, which already works for fork PRs. - The `workflow_run` trigger runs in the base repo context per [GitHub Security Lab guidance](https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/), so it safely has write permissions even for fork PRs. - AGENTS.md guidance documents this pattern to prevent recurrence. Fixes the failure seen in https://github.com/Comfy-Org/ComfyUI_frontend/actions/runs/22684230751/job/65763595989?pr=9380 ┆Issue is synchronized with this [Notion page](https://www.notion.so/PR-9382-fix-split-perf-report-workflow-for-fork-PR-support-3196d73d365081b29b35ed354e7789e2) by [Unito](https://www.unito.io)
24 lines
1021 B
Markdown
24 lines
1021 B
Markdown
# PR Review Context
|
|
|
|
Context for automated PR review system.
|
|
|
|
## Review Scope
|
|
|
|
This automated review performs comprehensive analysis:
|
|
|
|
- Architecture and design patterns
|
|
- Security vulnerabilities
|
|
- Performance implications
|
|
- Code quality and maintainability
|
|
- Integration concerns
|
|
|
|
For implementation details, see `.claude/commands/comprehensive-pr-review.md`.
|
|
|
|
## GitHub Actions: Fork PR Permissions
|
|
|
|
Fork PRs get a **read-only `GITHUB_TOKEN`** — no PR comments, no secret access, no pushing.
|
|
|
|
Any workflow that needs write access must use the **two-workflow split**: a `pull_request`-triggered `ci-*.yaml` uploads artifacts (including PR metadata), then a `workflow_run`-triggered `pr-*.yaml` downloads them and posts comments with write permissions. See `ci-size-data` → `pr-size-report` or `ci-perf-report` → `pr-perf-report`. Use `.github/actions/post-pr-report-comment` for the comment step.
|
|
|
|
Never write PR comments directly from `pull_request` workflows or use `pull_request_target` to run untrusted code.
|