diff --git a/.github/workflows/beforewire-agent-gate.yml b/.github/workflows/beforewire-agent-gate.yml index a6d7979..24649b5 100644 --- a/.github/workflows/beforewire-agent-gate.yml +++ b/.github/workflows/beforewire-agent-gate.yml @@ -34,7 +34,7 @@ jobs: - name: Post readiness PR comment if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BEFOREWIRE_PR_COMMENT_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} run: | cd examples/agent-readiness-pack diff --git a/examples/agent-readiness-pack/README.md b/examples/agent-readiness-pack/README.md index 3c10376..a201c3b 100644 --- a/examples/agent-readiness-pack/README.md +++ b/examples/agent-readiness-pack/README.md @@ -161,7 +161,10 @@ The installed workflow is named `beforewire-agent-gate` and its job is named reruns `bin/run_readiness_pack.py --repo ../..`, verifies the freshly generated receipt, posts a readiness summary PR comment through the broker, and uploads the evidence artifacts. Fork PRs keep the required-check receipt gate but skip -the comment side effect because GitHub tokens are read-only there. +the comment side effect because GitHub tokens are read-only there. If the +organization disables workflow token write permissions, set a fine-grained +`BEFOREWIRE_PR_COMMENT_TOKEN` repository secret with issue comment write access; +the workflow uses that token before falling back to `GITHUB_TOKEN`. To make it merge-blocking, enable branch protection or a repository ruleset and require the `BeforeWire Agent Gate` check. The local acceptance runner can attempt diff --git a/examples/agent-readiness-pack/github/beforewire-agent-gate.yml b/examples/agent-readiness-pack/github/beforewire-agent-gate.yml index a6d7979..24649b5 100644 --- a/examples/agent-readiness-pack/github/beforewire-agent-gate.yml +++ b/examples/agent-readiness-pack/github/beforewire-agent-gate.yml @@ -34,7 +34,7 @@ jobs: - name: Post readiness PR comment if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BEFOREWIRE_PR_COMMENT_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} run: | cd examples/agent-readiness-pack