diff --git a/.github/workflows/test-claude-add-issue-comment.lock.yml b/.github/workflows/test-claude-add-issue-comment.lock.yml index f36012ec78..a79169bc81 100644 --- a/.github/workflows/test-claude-add-issue-comment.lock.yml +++ b/.github/workflows/test-claude-add-issue-comment.lock.yml @@ -18,7 +18,7 @@ run-name: "Test Claude Add Issue Comment" jobs: add_reaction: - if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/test-claude-add-issue-labels.lock.yml b/.github/workflows/test-claude-add-issue-labels.lock.yml index c2d7f089a9..fcff070c68 100644 --- a/.github/workflows/test-claude-add-issue-labels.lock.yml +++ b/.github/workflows/test-claude-add-issue-labels.lock.yml @@ -18,7 +18,7 @@ run-name: "Test Claude Add Issue Labels" jobs: add_reaction: - if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/test-claude-command.lock.yml b/.github/workflows/test-claude-command.lock.yml index 74cf82a444..3de9a7f193 100644 --- a/.github/workflows/test-claude-command.lock.yml +++ b/.github/workflows/test-claude-command.lock.yml @@ -279,7 +279,7 @@ jobs: add_reaction: needs: task - if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/test-claude-create-pull-request-review-comment.lock.yml b/.github/workflows/test-claude-create-pull-request-review-comment.lock.yml index d672a8a8d3..c5dbbf0dc2 100644 --- a/.github/workflows/test-claude-create-pull-request-review-comment.lock.yml +++ b/.github/workflows/test-claude-create-pull-request-review-comment.lock.yml @@ -28,7 +28,7 @@ jobs: add_reaction: needs: task - if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/test-claude-mcp.lock.yml b/.github/workflows/test-claude-mcp.lock.yml index 893359de69..f61259f85d 100644 --- a/.github/workflows/test-claude-mcp.lock.yml +++ b/.github/workflows/test-claude-mcp.lock.yml @@ -15,7 +15,7 @@ run-name: "Test Claude Mcp" jobs: add_reaction: - if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/test-claude-update-issue.lock.yml b/.github/workflows/test-claude-update-issue.lock.yml index 13ae26ed5d..11b273519a 100644 --- a/.github/workflows/test-claude-update-issue.lock.yml +++ b/.github/workflows/test-claude-update-issue.lock.yml @@ -18,7 +18,7 @@ run-name: "Test Claude Update Issue" jobs: add_reaction: - if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/test-codex-add-issue-comment.lock.yml b/.github/workflows/test-codex-add-issue-comment.lock.yml index 9f7371bb16..6120e39251 100644 --- a/.github/workflows/test-codex-add-issue-comment.lock.yml +++ b/.github/workflows/test-codex-add-issue-comment.lock.yml @@ -18,7 +18,7 @@ run-name: "Test Codex Add Issue Comment" jobs: add_reaction: - if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/test-codex-add-issue-labels.lock.yml b/.github/workflows/test-codex-add-issue-labels.lock.yml index b010691964..ef429ef26a 100644 --- a/.github/workflows/test-codex-add-issue-labels.lock.yml +++ b/.github/workflows/test-codex-add-issue-labels.lock.yml @@ -18,7 +18,7 @@ run-name: "Test Codex Add Issue Labels" jobs: add_reaction: - if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/test-codex-command.lock.yml b/.github/workflows/test-codex-command.lock.yml index ff390dda8f..9ea2778a4d 100644 --- a/.github/workflows/test-codex-command.lock.yml +++ b/.github/workflows/test-codex-command.lock.yml @@ -279,7 +279,7 @@ jobs: add_reaction: needs: task - if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/test-codex-create-pull-request-review-comment.lock.yml b/.github/workflows/test-codex-create-pull-request-review-comment.lock.yml index 4d3b735fec..17a9b44c33 100644 --- a/.github/workflows/test-codex-create-pull-request-review-comment.lock.yml +++ b/.github/workflows/test-codex-create-pull-request-review-comment.lock.yml @@ -28,7 +28,7 @@ jobs: add_reaction: needs: task - if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/test-codex-mcp.lock.yml b/.github/workflows/test-codex-mcp.lock.yml index e02a80426b..ddecaeb909 100644 --- a/.github/workflows/test-codex-mcp.lock.yml +++ b/.github/workflows/test-codex-mcp.lock.yml @@ -15,7 +15,7 @@ run-name: "Test Codex Mcp" jobs: add_reaction: - if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest permissions: issues: write diff --git a/.github/workflows/test-codex-update-issue.lock.yml b/.github/workflows/test-codex-update-issue.lock.yml index 9eef67a991..047ea9c714 100644 --- a/.github/workflows/test-codex-update-issue.lock.yml +++ b/.github/workflows/test-codex-update-issue.lock.yml @@ -18,7 +18,7 @@ run-name: "Test Codex Update Issue" jobs: add_reaction: - if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' + if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository) runs-on: ubuntu-latest permissions: issues: write diff --git a/pkg/workflow/expressions.go b/pkg/workflow/expressions.go index 0572e03ed9..8f06e4e7a6 100644 --- a/pkg/workflow/expressions.go +++ b/pkg/workflow/expressions.go @@ -208,11 +208,18 @@ func buildReactionCondition() ConditionNode { var terms []ConditionNode terms = append(terms, BuildEventTypeEquals("issues")) - terms = append(terms, BuildEventTypeEquals("pull_request")) terms = append(terms, BuildEventTypeEquals("issue_comment")) terms = append(terms, BuildEventTypeEquals("pull_request_comment")) terms = append(terms, BuildEventTypeEquals("pull_request_review_comment")) + // For pull_request events, we need to ensure it's not from a forked repository + // since forked repositories have read-only permissions and cannot add reactions + pullRequestCondition := &AndNode{ + Left: BuildEventTypeEquals("pull_request"), + Right: BuildNotFromFork(), + } + terms = append(terms, pullRequestCondition) + // Use DisjunctionNode to avoid deep nesting return &DisjunctionNode{Terms: terms} } @@ -285,6 +292,15 @@ func BuildActionEquals(action string) *ComparisonNode { ) } +// BuildNotFromFork creates a condition to check that a pull request is not from a forked repository +// This prevents the job from running on forked PRs where write permissions are not available +func BuildNotFromFork() *ComparisonNode { + return BuildEquals( + BuildPropertyAccess("github.event.pull_request.head.repo.full_name"), + BuildPropertyAccess("github.repository"), + ) +} + // BuildEventTypeEquals creates a condition to check if the event type equals a specific value func BuildEventTypeEquals(eventType string) *ComparisonNode { return BuildEquals( diff --git a/pkg/workflow/expressions_test.go b/pkg/workflow/expressions_test.go index 5b83f889d8..726e9d52a2 100644 --- a/pkg/workflow/expressions_test.go +++ b/pkg/workflow/expressions_test.go @@ -146,10 +146,12 @@ func TestBuildReactionCondition(t *testing.T) { // The result should be a flat OR chain without deep nesting expectedSubstrings := []string{ "github.event_name == 'issues'", - "github.event_name == 'pull_request'", "github.event_name == 'issue_comment'", "github.event_name == 'pull_request_comment'", "github.event_name == 'pull_request_review_comment'", + "github.event_name == 'pull_request'", + "github.event.pull_request.head.repo.full_name == github.repository", + "&&", "||", } @@ -159,10 +161,10 @@ func TestBuildReactionCondition(t *testing.T) { } } - // With DisjunctionNode, the output should be flat without extra parentheses at the start/end - expectedOutput := "github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'" - if rendered != expectedOutput { - t.Errorf("Expected exact output '%s', but got: %s", expectedOutput, rendered) + // With the fork check, the pull_request condition should be more complex + // It should contain both the event name check and the not-from-fork check + if !strings.Contains(rendered, "(github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)") { + t.Errorf("Expected pull_request condition to include fork check, but got: %s", rendered) } } @@ -949,3 +951,13 @@ func TestHelperFunctionsForMultiline(t *testing.T) { } }) } + +func TestBuildNotFromFork(t *testing.T) { + result := BuildNotFromFork() + rendered := result.Render() + + expected := "github.event.pull_request.head.repo.full_name == github.repository" + if rendered != expected { + t.Errorf("Expected '%s', got '%s'", expected, rendered) + } +}