Skip to content

CI: test reporter and Azure login fail on pull requests from forks #4642

Description

@jbogard

Summary

The CI workflow (.github/workflows/ci.yml) fails on pull requests opened from forks, even when every test passes. Two separate steps fail because forked-PR runs don't get a writable token or repository secrets.

This surfaced repeatedly on #4634 (a fork PR). Stop-gap fixes were applied on that branch, but the underlying workflow design should be hardened so all fork PRs stay green.

Symptom 1 — dorny/test-reporter (Linux + Windows Report Test Results steps)

Error: HttpError: Resource not accessible by integration

Cause: dorny/test-reporter calls the Checks API (POST /repos/.../check-runs) to publish results, which requires checks: write. The workflow declares permissions: checks: write, but GitHub forcibly downgrades GITHUB_TOKEN to read-only for pull_request runs triggered from a fork (untrusted code must not get write access to the base repo). The API returns 403 "Resource not accessible by integration" ("integration" = the GitHub Actions app), and the action's default fail-on-error: true fails the job.

Symptom 2 — Azure Login via OIDC (build-windows job)

The azure/login@v2 step authenticates with secrets.AZURE_CLIENT_ID / AZURE_TENANT_ID / AZURE_SUBSCRIPTION_ID. Secrets are not exposed to fork PRs, so the values are empty and login fails. Azure login exists only to code-sign packages and push to MyGet — a main-only publish path — so it should never run on PRs.

Stop-gap already applied on the #4634 branch

  • continue-on-error: true on both Report Test Results steps (publishing becomes best-effort; the Build and Test step remains the source of truth for pass/fail).
  • Gated Azure Login via OIDC and Sign packages to if: github.ref == 'refs/heads/main', matching the existing Push to MyGet guard.

To do

  • Port both fixes to main so every open/future PR benefits without waiting on Support LicenseKey via environment variable fallback #4634 to merge.
  • (Optional, fuller fix) Adopt the workflow_run pattern for test reporting. The build workflow (triggered by pull_request, read-only token) uploads the .trx files as an artifact; a separate workflow triggered by workflow_run runs in the base-repo context with checks: write and publishes the report. This restores real inline test reports for fork PRs instead of silently skipping them.
  • Confirm no other step in ci.yml assumes secrets or a writable token on PRs.

Notes

The same dorny/test-reporter problem exists in the MediatR repo — tracked separately there.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions