From 4483e2979295726e7f1b2cc96923ac5edfbecee5 Mon Sep 17 00:00:00 2001 From: senseb <446326+senseb@users.noreply.github.com> Date: Sun, 21 Jun 2026 22:04:12 +0800 Subject: [PATCH] Allow dedicated PR comment token --- .github/workflows/beforewire-agent-gate.yml | 2 +- examples/agent-readiness-pack/README.md | 5 ++++- .../agent-readiness-pack/github/beforewire-agent-gate.yml | 2 +- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/beforewire-agent-gate.yml b/.github/workflows/beforewire-agent-gate.yml index a6d7979..24649b5 100644 --- a/.github/workflows/beforewire-agent-gate.yml +++ b/.github/workflows/beforewire-agent-gate.yml @@ -34,7 +34,7 @@ jobs: - name: Post readiness PR comment if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BEFOREWIRE_PR_COMMENT_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} run: | cd examples/agent-readiness-pack diff --git a/examples/agent-readiness-pack/README.md b/examples/agent-readiness-pack/README.md index 3c10376..a201c3b 100644 --- a/examples/agent-readiness-pack/README.md +++ b/examples/agent-readiness-pack/README.md @@ -161,7 +161,10 @@ The installed workflow is named `beforewire-agent-gate` and its job is named reruns `bin/run_readiness_pack.py --repo ../..`, verifies the freshly generated receipt, posts a readiness summary PR comment through the broker, and uploads the evidence artifacts. Fork PRs keep the required-check receipt gate but skip -the comment side effect because GitHub tokens are read-only there. +the comment side effect because GitHub tokens are read-only there. If the +organization disables workflow token write permissions, set a fine-grained +`BEFOREWIRE_PR_COMMENT_TOKEN` repository secret with issue comment write access; +the workflow uses that token before falling back to `GITHUB_TOKEN`. To make it merge-blocking, enable branch protection or a repository ruleset and require the `BeforeWire Agent Gate` check. The local acceptance runner can attempt diff --git a/examples/agent-readiness-pack/github/beforewire-agent-gate.yml b/examples/agent-readiness-pack/github/beforewire-agent-gate.yml index a6d7979..24649b5 100644 --- a/examples/agent-readiness-pack/github/beforewire-agent-gate.yml +++ b/examples/agent-readiness-pack/github/beforewire-agent-gate.yml @@ -34,7 +34,7 @@ jobs: - name: Post readiness PR comment if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.BEFOREWIRE_PR_COMMENT_TOKEN || secrets.GITHUB_TOKEN }} GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }} run: | cd examples/agent-readiness-pack