Summary
The CI workflow (.github/workflows/ci.yml) fails on pull requests opened from forks, even when every test passes. Two separate steps fail because forked-PR runs don't get a writable token or repository secrets.
This surfaced repeatedly on #4634 (a fork PR). Stop-gap fixes were applied on that branch, but the underlying workflow design should be hardened so all fork PRs stay green.
Symptom 1 — dorny/test-reporter (Linux + Windows Report Test Results steps)
Error: HttpError: Resource not accessible by integration
Cause: dorny/test-reporter calls the Checks API (POST /repos/.../check-runs) to publish results, which requires checks: write. The workflow declares permissions: checks: write, but GitHub forcibly downgrades GITHUB_TOKEN to read-only for pull_request runs triggered from a fork (untrusted code must not get write access to the base repo). The API returns 403 "Resource not accessible by integration" ("integration" = the GitHub Actions app), and the action's default fail-on-error: true fails the job.
Symptom 2 — Azure Login via OIDC (build-windows job)
The azure/login@v2 step authenticates with secrets.AZURE_CLIENT_ID / AZURE_TENANT_ID / AZURE_SUBSCRIPTION_ID. Secrets are not exposed to fork PRs, so the values are empty and login fails. Azure login exists only to code-sign packages and push to MyGet — a main-only publish path — so it should never run on PRs.
Stop-gap already applied on the #4634 branch
continue-on-error: true on both Report Test Results steps (publishing becomes best-effort; the Build and Test step remains the source of truth for pass/fail).
- Gated
Azure Login via OIDC and Sign packages to if: github.ref == 'refs/heads/main', matching the existing Push to MyGet guard.
To do
Notes
The same dorny/test-reporter problem exists in the MediatR repo — tracked separately there.
Summary
The
CIworkflow (.github/workflows/ci.yml) fails on pull requests opened from forks, even when every test passes. Two separate steps fail because forked-PR runs don't get a writable token or repository secrets.This surfaced repeatedly on #4634 (a fork PR). Stop-gap fixes were applied on that branch, but the underlying workflow design should be hardened so all fork PRs stay green.
Symptom 1 —
dorny/test-reporter(Linux + WindowsReport Test Resultssteps)Cause:
dorny/test-reportercalls the Checks API (POST /repos/.../check-runs) to publish results, which requireschecks: write. The workflow declarespermissions: checks: write, but GitHub forcibly downgradesGITHUB_TOKENto read-only forpull_requestruns triggered from a fork (untrusted code must not get write access to the base repo). The API returns 403 "Resource not accessible by integration" ("integration" = the GitHub Actions app), and the action's defaultfail-on-error: truefails the job.Symptom 2 —
Azure Login via OIDC(build-windowsjob)The
azure/login@v2step authenticates withsecrets.AZURE_CLIENT_ID/AZURE_TENANT_ID/AZURE_SUBSCRIPTION_ID. Secrets are not exposed to fork PRs, so the values are empty and login fails. Azure login exists only to code-sign packages and push to MyGet — amain-only publish path — so it should never run on PRs.Stop-gap already applied on the #4634 branch
continue-on-error: trueon bothReport Test Resultssteps (publishing becomes best-effort; theBuild and Teststep remains the source of truth for pass/fail).Azure Login via OIDCandSign packagestoif: github.ref == 'refs/heads/main', matching the existingPush to MyGetguard.To do
mainso every open/future PR benefits without waiting on Support LicenseKey via environment variable fallback #4634 to merge.workflow_runpattern for test reporting. The build workflow (triggered bypull_request, read-only token) uploads the.trxfiles as an artifact; a separate workflow triggered byworkflow_runruns in the base-repo context withchecks: writeand publishes the report. This restores real inline test reports for fork PRs instead of silently skipping them.ci.ymlassumes secrets or a writable token on PRs.Notes
The same
dorny/test-reporterproblem exists in the MediatR repo — tracked separately there.