Skip to content

ci: publish fork-PR test reports via workflow_run#1173

Merged
jbogard merged 2 commits into
mainfrom
ci/test-reporter-fork-safe
Jun 12, 2026
Merged

ci: publish fork-PR test reports via workflow_run#1173
jbogard merged 2 commits into
mainfrom
ci/test-reporter-fork-safe

Conversation

@jbogard

@jbogard jbogard commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Fixes the fork-PR CI failure tracked in #1172, using the same workflow_run pattern just adopted in AutoMapper (LuckyPennySoftware/AutoMapper#4643). Fork PRs get real inline test reports instead of a swallowed failure.

Note: this branch now carries the full fix and supersedes the earlier continue-on-error stop-gap that was originally on it.

Problem

For pull_request runs from a fork, GitHub forcibly downgrades GITHUB_TOKEN to read-only. dorny/test-reporter calls the Checks API to publish results, which needs checks: write; with a read-only token it gets 403 Resource not accessible by integration and (default fail-on-error: true) fails the job even when all tests pass.

Fix — split building from reporting

ci.yml (runs on the PR, read-only token, no secrets):

  • Replaces the Report Test Results step with Upload Test Results — the .trx files are uploaded as a test-results-Windows artifact.
  • Drops checks: write from permissions; the build no longer touches the Checks API. Push to MyGet stays main-only.

test-report.yml (new, triggered by workflow_run when CI completes):

  • Runs in the base-repository context with checks: write, so it has a writable token even for fork PRs.
  • Downloads the test-results-* artifacts and publishes one inline check per platform (Test Results (Windows)).
  • fail-on-empty: false so a build that fails before producing .trx doesn't add a spurious red report.

Rollout note

workflow_run only fires for the copy of test-report.yml on the default branch, so reports for fork PRs start working once this lands on main.

Closes #1172

🤖 Generated with Claude Code

@jbogard @claude
ci: publish fork-PR test reports via workflow_run
b28cfac 
GitHub forces GITHUB_TOKEN to read-only for pull_request runs from forks,
so dorny/test-reporter's Checks API call (POST .../check-runs) returned
403 "Resource not accessible by integration" and failed every fork PR,
even when all tests passed.

Split reporting out of the build (the same pattern adopted in AutoMapper):

- ci.yml now runs with a read-only token and only uploads the .trx files
  as a test-results-Windows artifact. checks:write is dropped — the build
  no longer touches the Checks API. Push to MyGet stays main-only.
- test-report.yml is triggered by workflow_run when CI completes. It runs
  in the base-repository context with checks:write, downloads the
  test-results-* artifacts, and publishes one inline check per platform.
  This restores real test reports for fork PRs instead of failing them.

Supersedes the continue-on-error stop-gap. Closes #1172

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jbogard jbogard force-pushed the ci/test-reporter-fork-safe branch from 0378dc5 to b28cfac Compare June 12, 2026 21:18
Copilot AI review requested due to automatic review settings June 12, 2026 21:18
@jbogard jbogard changed the title ci: make test-report publishing fork-safe ci: publish fork-PR test reports via workflow_run Jun 12, 2026
Copilot AI reviewed Jun 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the CI pipeline to avoid failing fork-based PRs when publishing inline test reports, by splitting test execution (PR context) from check publication (base-repo context via workflow_run).

Changes:

  • Replace in-workflow test reporting in CI with artifact upload of .trx results.
  • Add a workflow_run-triggered workflow that downloads test artifacts and publishes test reports via the Checks API.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
.github/workflows/ci.yml Stops calling the Checks API during PR CI; uploads .trx files as test-results-* artifacts instead.
.github/workflows/test-report.yml New workflow that runs in base-repo context on CI completion and publishes inline test reports from uploaded artifacts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/ci.yml
@jbogard @claude
ci: drop unused id-token:write from CI permissions
329ce79 
CI does not use OIDC (no azure/login or other token exchange); the only
secret is the main-only Push to MyGet. Remove id-token:write to follow
least privilege, per review feedback on #1173.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@jbogard jbogard merged commit 1fd25f5 into main Jun 12, 2026
5 checks passed
@jbogard jbogard deleted the ci/test-reporter-fork-safe branch June 12, 2026 21:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CI: test reporter fails on pull requests from forks (Resource not accessible by integration)

2 participants

@jbogard