From ee10f9ca034509e607c966745cc2ff209ebcdca4 Mon Sep 17 00:00:00 2001
From: Kyle Kelley <rgbkrk@gmail.com>
Date: Sat, 11 Apr 2026 08:07:59 -0700
Subject: [PATCH] Post conformance PR comment via workflow_run
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fork PRs receive a read-only GITHUB_TOKEN regardless of the top-level
permissions block, so the inline `gh pr comment` step in the conformance
workflow fails with "Resource not accessible by integration" whenever a
contributor opens a PR from a fork. Move the comment step into a
separate workflow triggered by workflow_run, which runs in the base
repo context with pull-requests: write and only reads the uploaded
summary artifact — never checks out PR code.
---
 .github/workflows/comment-on-pr.yml | 32 +++++++++++++++++++++++++++++
 .github/workflows/conformance.yml   | 16 +++++++++++----
 2 files changed, 44 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/comment-on-pr.yml

diff --git a/.github/workflows/comment-on-pr.yml b/.github/workflows/comment-on-pr.yml
new file mode 100644
index 0000000..7b4570d
--- /dev/null
+++ b/.github/workflows/comment-on-pr.yml
@@ -0,0 +1,32 @@
+name: Comment PR with Conformance Results
+
+on:
+  workflow_run:
+    workflows: ["Kernel Conformance"]
+    types:
+      - completed
+
+permissions:
+  pull-requests: write
+  actions: read
+
+jobs:
+  comment:
+    name: Post conformance summary
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: Download PR comment artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: pr-comment
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Post comment
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}
+        run: |
+          PR=$(cat pr_number.txt)
+          gh pr comment "$PR" --body-file summary.md
diff --git a/.github/workflows/conformance.yml b/.github/workflows/conformance.yml
index 7d81835..5d06194 100644
--- a/.github/workflows/conformance.yml
+++ b/.github/workflows/conformance.yml
@@ -391,11 +391,19 @@ jobs:
             done
           } | tee -a $GITHUB_STEP_SUMMARY > summary.md
 
-      - name: Comment on PR
+      - name: Save PR number for comment workflow
         if: github.event_name == 'pull_request'
-        env:
-          GH_TOKEN: ${{ github.token }}
-        run: gh pr comment ${{ github.event.pull_request.number }} --body-file summary.md
+        run: echo "${{ github.event.pull_request.number }}" > pr_number.txt
+
+      - name: Upload PR comment payload
+        if: github.event_name == 'pull_request'
+        uses: actions/upload-artifact@v4
+        with:
+          name: pr-comment
+          path: |
+            summary.md
+            pr_number.txt
+          if-no-files-found: error
 
       - name: Upload combined reports
         uses: actions/upload-artifact@v4