From 56abca5d371149507b2d75b594f3fcbe0825cc98 Mon Sep 17 00:00:00 2001
From: Peli de Halleux <pelikhan@users.noreply.github.com>
Date: Thu, 4 Sep 2025 13:04:03 +0000
Subject: [PATCH 1/2] Remove GITHUB_TOKEN usage from format-and-commit workflow

---
 .github/workflows/format-and-commit.yml | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/format-and-commit.yml b/.github/workflows/format-and-commit.yml
index eebed76258..7256824d8b 100644
--- a/.github/workflows/format-and-commit.yml
+++ b/.github/workflows/format-and-commit.yml
@@ -10,41 +10,35 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
-        with:
-          # Use a token that can push to the repository
-          token: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
           cache: true
-
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
           cache: npm
-
       - name: Configure Git
         run: |
           git config --global user.name "github-actions[bot]"
           git config --global user.email "github-actions[bot]@users.noreply.github.com"
-
+      - name: Install minimal dependencies
+        run: |
+          go mod download
+          go mod tidy
       - name: Install dependencies  
         run: make deps-dev
-
       - name: Format code
         run: make fmt
-
       - name: Lint code
         run: make lint
-
       - name: Build code
         run: make build
-
+      - name: Rebuild workflows
+        run: make recompile
       - name: Run agent-finish
         run: make agent-finish
-
       - name: Check for changes
         id: check-changes
         run: |

From f21af73d7b14fae4a8daae10003989f50262e917 Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Thu, 4 Sep 2025 06:46:24 -0700
Subject: [PATCH 2/2] Fix add_reaction job to exclude forked repository pull
 requests (#52)

* Initial plan

* Fix add_reaction job to not run on forked repository PRs

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>
---
 .../test-claude-add-issue-comment.lock.yml    |  2 +-
 .../test-claude-add-issue-labels.lock.yml     |  2 +-
 .../workflows/test-claude-command.lock.yml    |  2 +-
 ...reate-pull-request-review-comment.lock.yml |  2 +-
 .github/workflows/test-claude-mcp.lock.yml    |  2 +-
 .../test-claude-update-issue.lock.yml         |  2 +-
 .../test-codex-add-issue-comment.lock.yml     |  2 +-
 .../test-codex-add-issue-labels.lock.yml      |  2 +-
 .github/workflows/test-codex-command.lock.yml |  2 +-
 ...reate-pull-request-review-comment.lock.yml |  2 +-
 .github/workflows/test-codex-mcp.lock.yml     |  2 +-
 .../test-codex-update-issue.lock.yml          |  2 +-
 pkg/workflow/expressions.go                   | 18 ++++++++++++++-
 pkg/workflow/expressions_test.go              | 22 ++++++++++++++-----
 14 files changed, 46 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/test-claude-add-issue-comment.lock.yml b/.github/workflows/test-claude-add-issue-comment.lock.yml
index f36012ec78..a79169bc81 100644
--- a/.github/workflows/test-claude-add-issue-comment.lock.yml
+++ b/.github/workflows/test-claude-add-issue-comment.lock.yml
@@ -18,7 +18,7 @@ run-name: "Test Claude Add Issue Comment"
 
 jobs:
   add_reaction:
-    if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'
+    if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/test-claude-add-issue-labels.lock.yml b/.github/workflows/test-claude-add-issue-labels.lock.yml
index c2d7f089a9..fcff070c68 100644
--- a/.github/workflows/test-claude-add-issue-labels.lock.yml
+++ b/.github/workflows/test-claude-add-issue-labels.lock.yml
@@ -18,7 +18,7 @@ run-name: "Test Claude Add Issue Labels"
 
 jobs:
   add_reaction:
-    if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'
+    if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/test-claude-command.lock.yml b/.github/workflows/test-claude-command.lock.yml
index 74cf82a444..3de9a7f193 100644
--- a/.github/workflows/test-claude-command.lock.yml
+++ b/.github/workflows/test-claude-command.lock.yml
@@ -279,7 +279,7 @@ jobs:
 
   add_reaction:
     needs: task
-    if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'
+    if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/test-claude-create-pull-request-review-comment.lock.yml b/.github/workflows/test-claude-create-pull-request-review-comment.lock.yml
index d672a8a8d3..c5dbbf0dc2 100644
--- a/.github/workflows/test-claude-create-pull-request-review-comment.lock.yml
+++ b/.github/workflows/test-claude-create-pull-request-review-comment.lock.yml
@@ -28,7 +28,7 @@ jobs:
 
   add_reaction:
     needs: task
-    if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'
+    if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/test-claude-mcp.lock.yml b/.github/workflows/test-claude-mcp.lock.yml
index 893359de69..f61259f85d 100644
--- a/.github/workflows/test-claude-mcp.lock.yml
+++ b/.github/workflows/test-claude-mcp.lock.yml
@@ -15,7 +15,7 @@ run-name: "Test Claude Mcp"
 
 jobs:
   add_reaction:
-    if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'
+    if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/test-claude-update-issue.lock.yml b/.github/workflows/test-claude-update-issue.lock.yml
index 13ae26ed5d..11b273519a 100644
--- a/.github/workflows/test-claude-update-issue.lock.yml
+++ b/.github/workflows/test-claude-update-issue.lock.yml
@@ -18,7 +18,7 @@ run-name: "Test Claude Update Issue"
 
 jobs:
   add_reaction:
-    if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'
+    if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/test-codex-add-issue-comment.lock.yml b/.github/workflows/test-codex-add-issue-comment.lock.yml
index 9f7371bb16..6120e39251 100644
--- a/.github/workflows/test-codex-add-issue-comment.lock.yml
+++ b/.github/workflows/test-codex-add-issue-comment.lock.yml
@@ -18,7 +18,7 @@ run-name: "Test Codex Add Issue Comment"
 
 jobs:
   add_reaction:
-    if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'
+    if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/test-codex-add-issue-labels.lock.yml b/.github/workflows/test-codex-add-issue-labels.lock.yml
index b010691964..ef429ef26a 100644
--- a/.github/workflows/test-codex-add-issue-labels.lock.yml
+++ b/.github/workflows/test-codex-add-issue-labels.lock.yml
@@ -18,7 +18,7 @@ run-name: "Test Codex Add Issue Labels"
 
 jobs:
   add_reaction:
-    if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'
+    if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/test-codex-command.lock.yml b/.github/workflows/test-codex-command.lock.yml
index ff390dda8f..9ea2778a4d 100644
--- a/.github/workflows/test-codex-command.lock.yml
+++ b/.github/workflows/test-codex-command.lock.yml
@@ -279,7 +279,7 @@ jobs:
 
   add_reaction:
     needs: task
-    if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'
+    if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/test-codex-create-pull-request-review-comment.lock.yml b/.github/workflows/test-codex-create-pull-request-review-comment.lock.yml
index 4d3b735fec..17a9b44c33 100644
--- a/.github/workflows/test-codex-create-pull-request-review-comment.lock.yml
+++ b/.github/workflows/test-codex-create-pull-request-review-comment.lock.yml
@@ -28,7 +28,7 @@ jobs:
 
   add_reaction:
     needs: task
-    if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'
+    if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/test-codex-mcp.lock.yml b/.github/workflows/test-codex-mcp.lock.yml
index e02a80426b..ddecaeb909 100644
--- a/.github/workflows/test-codex-mcp.lock.yml
+++ b/.github/workflows/test-codex-mcp.lock.yml
@@ -15,7 +15,7 @@ run-name: "Test Codex Mcp"
 
 jobs:
   add_reaction:
-    if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'
+    if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/test-codex-update-issue.lock.yml b/.github/workflows/test-codex-update-issue.lock.yml
index 9eef67a991..047ea9c714 100644
--- a/.github/workflows/test-codex-update-issue.lock.yml
+++ b/.github/workflows/test-codex-update-issue.lock.yml
@@ -18,7 +18,7 @@ run-name: "Test Codex Update Issue"
 
 jobs:
   add_reaction:
-    if: github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'
+    if: github.event_name == 'issues' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment' || (github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/pkg/workflow/expressions.go b/pkg/workflow/expressions.go
index 0572e03ed9..8f06e4e7a6 100644
--- a/pkg/workflow/expressions.go
+++ b/pkg/workflow/expressions.go
@@ -208,11 +208,18 @@ func buildReactionCondition() ConditionNode {
 	var terms []ConditionNode
 
 	terms = append(terms, BuildEventTypeEquals("issues"))
-	terms = append(terms, BuildEventTypeEquals("pull_request"))
 	terms = append(terms, BuildEventTypeEquals("issue_comment"))
 	terms = append(terms, BuildEventTypeEquals("pull_request_comment"))
 	terms = append(terms, BuildEventTypeEquals("pull_request_review_comment"))
 
+	// For pull_request events, we need to ensure it's not from a forked repository
+	// since forked repositories have read-only permissions and cannot add reactions
+	pullRequestCondition := &AndNode{
+		Left:  BuildEventTypeEquals("pull_request"),
+		Right: BuildNotFromFork(),
+	}
+	terms = append(terms, pullRequestCondition)
+
 	// Use DisjunctionNode to avoid deep nesting
 	return &DisjunctionNode{Terms: terms}
 }
@@ -285,6 +292,15 @@ func BuildActionEquals(action string) *ComparisonNode {
 	)
 }
 
+// BuildNotFromFork creates a condition to check that a pull request is not from a forked repository
+// This prevents the job from running on forked PRs where write permissions are not available
+func BuildNotFromFork() *ComparisonNode {
+	return BuildEquals(
+		BuildPropertyAccess("github.event.pull_request.head.repo.full_name"),
+		BuildPropertyAccess("github.repository"),
+	)
+}
+
 // BuildEventTypeEquals creates a condition to check if the event type equals a specific value
 func BuildEventTypeEquals(eventType string) *ComparisonNode {
 	return BuildEquals(
diff --git a/pkg/workflow/expressions_test.go b/pkg/workflow/expressions_test.go
index 5b83f889d8..726e9d52a2 100644
--- a/pkg/workflow/expressions_test.go
+++ b/pkg/workflow/expressions_test.go
@@ -146,10 +146,12 @@ func TestBuildReactionCondition(t *testing.T) {
 	// The result should be a flat OR chain without deep nesting
 	expectedSubstrings := []string{
 		"github.event_name == 'issues'",
-		"github.event_name == 'pull_request'",
 		"github.event_name == 'issue_comment'",
 		"github.event_name == 'pull_request_comment'",
 		"github.event_name == 'pull_request_review_comment'",
+		"github.event_name == 'pull_request'",
+		"github.event.pull_request.head.repo.full_name == github.repository",
+		"&&",
 		"||",
 	}
 
@@ -159,10 +161,10 @@ func TestBuildReactionCondition(t *testing.T) {
 		}
 	}
 
-	// With DisjunctionNode, the output should be flat without extra parentheses at the start/end
-	expectedOutput := "github.event_name == 'issues' || github.event_name == 'pull_request' || github.event_name == 'issue_comment' || github.event_name == 'pull_request_comment' || github.event_name == 'pull_request_review_comment'"
-	if rendered != expectedOutput {
-		t.Errorf("Expected exact output '%s', but got: %s", expectedOutput, rendered)
+	// With the fork check, the pull_request condition should be more complex
+	// It should contain both the event name check and the not-from-fork check
+	if !strings.Contains(rendered, "(github.event_name == 'pull_request') && (github.event.pull_request.head.repo.full_name == github.repository)") {
+		t.Errorf("Expected pull_request condition to include fork check, but got: %s", rendered)
 	}
 }
 
@@ -949,3 +951,13 @@ func TestHelperFunctionsForMultiline(t *testing.T) {
 		}
 	})
 }
+
+func TestBuildNotFromFork(t *testing.T) {
+	result := BuildNotFromFork()
+	rendered := result.Render()
+
+	expected := "github.event.pull_request.head.repo.full_name == github.repository"
+	if rendered != expected {
+		t.Errorf("Expected '%s', got '%s'", expected, rendered)
+	}
+}