Skip to content

Skip GitHub Packages publish for fork PRs#363

Merged
jasonleenaylor merged 3 commits intomasterfrom
copilot/exclude-fork-prs-from-publishing
Feb 6, 2026
Merged

Skip GitHub Packages publish for fork PRs#363
jasonleenaylor merged 3 commits intomasterfrom
copilot/exclude-fork-prs-from-publishing

Conversation

Copy link
Contributor

Copilot AI commented Feb 6, 2026
edited
Loading

Fork PRs fail at the "Publish to Github packages" step with 403 Forbidden because GITHUB_TOKEN lacks write permissions to GitHub Packages for cross-repository PRs (e.g., PR #361 from johnml1135/liblcm).

Changes

  • Add repository check to publish condition: github.event.pull_request.head.repo.full_name == github.repository
  • Skip GitHub Packages publish for fork PRs while preserving it for same-repo PRs
  • Build artifacts remain available for all PRs via the "Publish Artifacts" step
# Before
- name: Publish to Github packages
  if: github.event_name == 'pull_request' && matrix.os == 'ubuntu-22.04'
  run: dotnet nuget push artifacts/*.nupkg ...

# After
- name: Publish to Github packages
  if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && matrix.os == 'ubuntu-22.04'
  run: dotnet nuget push artifacts/*.nupkg ...
Original prompt

Problem

The GitHub Actions workflow is failing when attempting to publish NuGet packages to GitHub Packages for pull requests from forked repositories. The step "Publish to Github packages" encounters a 403 Forbidden error because GITHUB_TOKEN does not have write permissions for packages when the PR originates from a fork.

Example failure: https://github.com/sillsdev/liblcm/actions/runs/21763210541/job/62791992261?pr=361

Error from logs:

warn : Your request could not be authenticated by the GitHub Packages service. Please ensure your access token is valid and has the appropriate scopes configured.
  Forbidden https://nuget.pkg.github.com/sillsdev/ 584ms
error: Response status code does not indicate success: 403 (Forbidden).

PR #361 is from the fork johnml1135/liblcm, which triggers this security restriction.

Solution

Update the .github/workflows/ci-cd.yml file to exclude fork PRs from the GitHub Packages publishing step while still allowing publication for PRs from branches within the same repository.

Change line 95 from:

      if: github.event_name == 'pull_request' && matrix.os == 'ubuntu-22.04'

To:

      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && matrix.os == 'ubuntu-22.04'

Add an explanatory comment above the step explaining why this restriction exists:

    # Publish packages for pull requests from the same repository only.
    # Fork PRs cannot authenticate to GitHub Packages due to security restrictions,
    # but contributors can still download build artifacts from the workflow run.
    - name: Publish to Github packages
      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository && matrix.os == 'ubuntu-22.04'
      run: dotnet nuget push artifacts/*.nupkg -s https://nuget.pkg.github.com/sillsdev/index.json -k ${{secrets.GITHUB_TOKEN}} --skip-duplicate

Expected Outcome

After this change:

  • PRs from branches within sillsdev/liblcm will successfully publish packages to GitHub Packages ✅
  • PRs from forks (like johnml1135/liblcm) will skip the publish step and not fail ✅
  • All contributors (fork or same-repo) will still get build artifacts via the "Publish Artifacts" step ✅
  • The workflow will complete successfully for all PRs ✅

File to Modify

  • .github/workflows/ci-cd.yml - Update the conditional at line 95 and add explanatory comment

This pull request was created from Copilot chat.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

This change is Reviewable

@jasonleenaylor
Fix: Exclude fork PRs from GitHub Packages publishing
fa16af1 
- Updated condition to check if PR is from same repository
- Added explanatory comments about security restrictions
- Fork PRs will skip publish step but still get build artifacts

Co-authored-by: jasonleenaylor <2295227+jasonleenaylor@users.noreply.github.com>
Copilot AI changed the title [WIP] Update CI/CD workflow to handle forked PRs for publishing Skip GitHub Packages publish for fork PRs to prevent 403 errors Feb 6, 2026
Copilot AI requested a review from jasonleenaylor February 6, 2026 19:55
@jasonleenaylor jasonleenaylor changed the title Skip GitHub Packages publish for fork PRs to prevent 403 errors Skip GitHub Packages publish for fork PRs Feb 6, 2026
@jasonleenaylor jasonleenaylor marked this pull request as ready for review February 6, 2026 20:01
@jasonleenaylor jasonleenaylor enabled auto-merge (squash) February 6, 2026 21:00
@jasonleenaylor jasonleenaylor merged commit 3cb45f8 into master Feb 6, 2026
3 of 4 checks passed
@jasonleenaylor jasonleenaylor deleted the copilot/exclude-fork-prs-from-publishing branch February 6, 2026 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@papeh papeh papeh approved these changes

@jasonleenaylor jasonleenaylor Awaiting requested review from jasonleenaylor

Assignees

@jasonleenaylor jasonleenaylor

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@papeh @jasonleenaylor