(struts-intellij-plugin) 01/01: fix(ci): resolve Dependabot PR comment permission error

[lukaszlenart]

This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch fix/dependabot-pr-comment-permissions
in repository https://gitbox.apache.org/repos/asf/struts-intellij-plugin.git

commit 9e3c82df21de49ccd7177591a0d4bbff6f8a819e
Author: Lukasz Lenart <lukaszlen...@apache.org>
AuthorDate: Sat Jan 10 20:30:56 2026 +0100

    fix(ci): resolve Dependabot PR comment permission error
    
    Move PR artifact comment logic to dedicated workflow triggered by
    workflow_run. This fixes the "Resource not accessible by integration"
    403 error on Dependabot PRs by running in repository context with
    proper permissions.
    
    Changes:
    - Remove inline comment step from build.yml
    - Add new pr-artifact.yml workflow with workflow_run trigger
    - Skip comment workflow for Dependabot PRs (not needed for deps updates)
    
    🤖 Generated with [Claude Code](https://claude.com/claude-code)
    
    Co-Authored-By: Claude <nore...@anthropic.com>
---
 .github/workflows/build.yml       |  39 -------------
 .github/workflows/pr-artifact.yml | 117 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 117 insertions(+), 39 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e0362ca..6744577 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -98,45 +98,6 @@ jobs:
           name: ${{ steps.artifact.outputs.filename }}
           path: ./build/distributions/content/*/*
 
-      # Comment on PR with artifact download link (sticky comment - updates 
existing)
-      - name: Comment PR with artifact link
-        if: github.event_name == 'pull_request'
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const marker = '<!-- plugin-artifact-comment -->';
-            const body = `${marker}
-            🔌 **Plugin artifact ready for testing!**
-
-            Download from [Actions artifacts](${{ github.server_url }}/${{ 
github.repository }}/actions/runs/${{ github.run_id }}#artifacts)
-
-            Artifact: \`${{ steps.artifact.outputs.filename }}\``;
-
-            // Find existing comment with marker
-            const { data: comments } = await github.rest.issues.listComments({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number
-            });
-
-            const existing = comments.find(c => c.body.includes(marker));
-
-            if (existing) {
-              await github.rest.issues.updateComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                comment_id: existing.id,
-                body: body
-              });
-            } else {
-              await github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: context.issue.number,
-                body: body
-              });
-            }
-
 
   # Run tests and upload a code coverage report
   test:
diff --git a/.github/workflows/pr-artifact.yml 
b/.github/workflows/pr-artifact.yml
new file mode 100644
index 0000000..91caf9f
--- /dev/null
+++ b/.github/workflows/pr-artifact.yml
@@ -0,0 +1,117 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Workflow to comment on PRs with artifact download link
+# Triggered after Build workflow completes, skipped for Dependabot PRs
+
+name: PR Artifact Comment
+
+on:
+  workflow_run:
+    workflows: [ "Build" ]
+    types:
+      - completed
+
+jobs:
+  comment:
+    name: Comment on PR with artifact link
+    # Only run for successful PR builds, skip Dependabot
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.actor.login != 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      actions: read
+    steps:
+      - name: Get PR number and artifact info
+        id: pr-info
+        uses: actions/github-script@v7
+        with:
+          script: |
+            // Get the PR associated with this workflow run
+            const { data: { pull_requests } } = await 
github.rest.actions.getWorkflowRun({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: context.payload.workflow_run.id
+            });
+
+            if (!pull_requests || pull_requests.length === 0) {
+              core.setFailed('No PR found for this workflow run');
+              return;
+            }
+
+            const prNumber = pull_requests[0].number;
+            core.setOutput('pr_number', prNumber);
+
+            // Get artifacts from the workflow run
+            const { data: { artifacts } } = await 
github.rest.actions.listWorkflowRunArtifacts({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              run_id: context.payload.workflow_run.id
+            });
+
+            // Find the plugin artifact (exclude pr-metadata, tests-result, 
pluginVerifier-result)
+            const pluginArtifact = artifacts.find(a =>
+              !['pr-metadata', 'tests-result', 
'pluginVerifier-result'].includes(a.name)
+            );
+
+            if (pluginArtifact) {
+              core.setOutput('artifact_name', pluginArtifact.name);
+            } else {
+              core.setOutput('artifact_name', 'plugin-artifact');
+            }
+
+      - name: Comment on PR
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const prNumber = ${{ steps.pr-info.outputs.pr_number }};
+            const artifactName = '${{ steps.pr-info.outputs.artifact_name }}';
+            const runId = context.payload.workflow_run.id;
+
+            const marker = '<!-- plugin-artifact-comment -->';
+            const body = `${marker}
+            🔌 **Plugin artifact ready for testing!**
+
+            Download from [Actions artifacts](${{ github.server_url }}/${{ 
github.repository }}/actions/runs/${runId}#artifacts)
+
+            Artifact: \`${artifactName}\``;
+
+            // Find existing comment with marker
+            const { data: comments } = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber
+            });
+
+            const existing = comments.find(c => c.body.includes(marker));
+
+            if (existing) {
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: existing.id,
+                body: body
+              });
+            } else {
+              await github.rest.issues.createComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: prNumber,
+                body: body
+              });
+            }