check out why the Check_authors script is failing

[jaytaph]

For instance, see: https://github.com/gosub-io/gosub-engine/actions/runs/12734650986/job/35494476939?pr=762

[parkero]

Error

RequestError [HttpError]: Resource not accessible by integration
at /home/runner/work/_actions/peter-evans/create-or-update-comment/v3/dist/index.js:4695:21

Research

Docs for peter-evans / create-or-update-comment say permissions needed are:

• pull-requests: write (present)
• issues: write (not present)

HOWEVER slightly further down it also describes what may be the particular issue here:
(my emphases)

Note: In public repositories this action does not work in pull_request workflows when triggered by forks. Any attempt will be met with the error, Resource not accessible by integration. This is due to token restrictions put in place by GitHub Actions. Private repositories can be configured to enable workflows from forks to run without restriction. See here for further explanation. Alternatively, use the pull_request_target event to comment on pull requests.

Fix Options

Remove the auto-comment in the Author Check

• Safe, report using echo and exit instead

change type from pull_request to pull_request_target

tldr; you can do it here but that gives it write permissions, which would open up the beginning checkout action to malicious actors

Github has this to say about the pull_request_target event:

the introduction of pull_request_target trigger allowed a workflow writer to relax some restrictions to a target repository and must be used carefully. The main differences between the two triggers are:

1. Workflows triggered via pull_request_target have write permission to the target repository. They also have access to target repository secrets. The same is true for workflows triggered on pull_request from a branch in the same repository, but not from external forks. The reasoning behind the latter is that it is safe to share the repository secrets if the user creating the PR has write permission to the target repository already.
2. pull_request_target runs in the context of the target repository of the PR, rather than in the merge commit. This means the standard checkout action uses the target repository to prevent accidental usage of the user supplied code.

These safeguards enable granting the pull_request_target additional permissions. The reason to introduce the pull_request_target trigger was to enable workflows to label PRs (e.g. needs review) or to comment on the PR. The intent is to use the trigger for PRs that do not require dangerous processing, say building or running the content of the PR.

Remove the authorship check altogether

• I don't know, just seems like a lot of error/security surface (check_authors.sh, pr-author-check.yml) to remind someone about being included in the AUTHORS file

[jaytaph]

@parkero Thanks for your research. Much appreciated. I would suggest for now to remove the check. People can fill in their name manually if they want to.