bug: BCOS v2 Engine Scan fails on fork PRs - HttpError 403 when posting PR comment #2132
Description
Bug Report: BCOS v2 Engine Scan fails on all fork PRs
Summary
The BCOS v2 Engine Scan workflow fails on every PR submitted from a fork with:
RequestError [HttpError]: Resource not accessible by integration
The BCOS scan itself succeeds (trust score computed, tier met), but the job fails because the "Comment trust score on PR" step attempts to POST a comment to the upstream PR using github.rest.issues.createComment(). GitHub returns HTTP 403 because fork PRs only receive Contents: read, Metadata: read, PullRequests: read permissions. issues=write and pull_requests=write are required to post comments but are not available to the fork's GITHUB_TOKEN.
Evidence
From workflow run on PR #2106:
x-accepted-github-permissions: issues=write; pull_requests=write
HTTP 403 POST https://api.github.com/repos/Scottcjn/Rustchain/issues/2106/comments
"message": "Resource not accessible by integration"
Impact
- All fork PRs show CI failure even when the BCOS scan passes (score was 60/100, L1 tier met)
- Discourages contributors who see CI red when their code is actually fine
Reproduction
Submit any PR from a forked repository. The BCOS v2 Engine Scan job will fail at the "Comment trust score on PR" step regardless of code quality.
Suggested Fix
One of:
- Add
pull-requests: writeto the permissions block in.github/workflows/bcos.yml - Add a guard:
if: github.event.pull_request.head.repo.full_name == github.repository - Wrap
createCommentin a try/catch so the job does not fail when commenting is not permitted
Wallet: bill0151