Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/beforewire-agent-gate.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
- name: Post readiness PR comment
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.BEFOREWIRE_PR_COMMENT_TOKEN || secrets.GITHUB_TOKEN }}
GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
cd examples/agent-readiness-pack
Expand Down
5 changes: 4 additions & 1 deletion examples/agent-readiness-pack/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,10 @@ The installed workflow is named `beforewire-agent-gate` and its job is named
reruns `bin/run_readiness_pack.py --repo ../..`, verifies the freshly generated
receipt, posts a readiness summary PR comment through the broker, and uploads
the evidence artifacts. Fork PRs keep the required-check receipt gate but skip
the comment side effect because GitHub tokens are read-only there.
the comment side effect because GitHub tokens are read-only there. If the
organization disables workflow token write permissions, set a fine-grained
`BEFOREWIRE_PR_COMMENT_TOKEN` repository secret with issue comment write access;
the workflow uses that token before falling back to `GITHUB_TOKEN`.

To make it merge-blocking, enable branch protection or a repository ruleset and
require the `BeforeWire Agent Gate` check. The local acceptance runner can attempt
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
- name: Post readiness PR comment
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ secrets.BEFOREWIRE_PR_COMMENT_TOKEN || secrets.GITHUB_TOKEN }}
GITHUB_PR_NUMBER: ${{ github.event.pull_request.number }}
run: |
cd examples/agent-readiness-pack
Expand Down
Loading