add_pr_comment is skipped when pull request is from fork

[solvaholic]

Description

When contributors submit DNS configuration changes via pull requests from forks, GitHub Actions workflows that run on the pull_request run with a read-only GitHub.token and do not have access to secrets.

To run a test-and-comment workflow with write permission (to add a comment) and secrets access (to run octodns-sync), the workflow can run on the pull_request_target event. In this case, however, comment.sh exits early without adding a comment.

Expected Behavior

add_pr_comment should add a pull request comment, even if the head of the pull request is a fork.

Actual Behavior

Currently scripts/comment.sh exits early if GitHub.event_type is not pull_request:

octodns-sync/scripts/comment.sh

Lines 8 to 16 in 41a0287

	if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then
	if [ -z "${PR_COMMENT_TOKEN}" ]; then
	echo "FAIL: \$PR_COMMENT_TOKEN is not set."
	exit 1
	fi
	else
	echo "SKIP: \$GITHUB_EVENT_NAME is not 'pull_request'."
	exit 0
	fi

Possible Fix

In #67 @travislikestocode proposed adding the pull_request_target event to the check in comment.sh, changing it from:

  if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then

to:

  if [[ "${GITHUB_EVENT_NAME}" = "pull_request" || "${GITHUB_EVENT_NAME}" = "pull_request_target" ]]; then

Steps to Reproduce

1. Store DNS config in a repo
2. Use solvaholic/octodns-sync with add_pr_comment enabled
3. Configure the test-and-comment workflow to run on the pull_request_target event
4. Have another user fork the repo and submit DNS changes from it via pull request

Context

See prior discussion in #41 and #67.

Your Environment

• Version used: n/a
• Link to your project: n/a

[solvaholic]

How would it be if comment.sh didn't check GITHUB_EVENT_NAME at all?

For example:

  if [ -z "${PR_COMMENT_TOKEN}" ]; then
    echo "FAIL: \$PR_COMMENT_TOKEN is not set."
    exit 1
  fi