As I understand it, GitHub considers any fork PR as potentially dangerous. So when using on pull-request in action, it will always set all permissions to read.
There is pull_request_target that is less safe, but it should allow write permission.
So I am switching the action to pull_request_target and to mitigate the unsafeness I will also switch settings to Require approval for all outside collaborators.
There are other solutions to this that may be better, but also more complicated, if you want to look into it @miroslavpojer @Zejnilovic
As I understand it, GitHub considers any fork PR as potentially dangerous. So when using
on pull-requestin action, it will always set all permissions to read.There is
pull_request_targetthat is less safe, but it should allowwritepermission.So I am switching the action to
pull_request_targetand to mitigate the unsafeness I will also switch settings to Require approval for all outside collaborators.There are other solutions to this that may be better, but also more complicated, if you want to look into it @miroslavpojer @Zejnilovic
For more info, see: