From e6c0e950b40995b10b7eee2f2a4ccd81c06c04e5 Mon Sep 17 00:00:00 2001
From: chaodu-agent <chaodu-agent@users.noreply.github.com>
Date: Fri, 26 Jun 2026 22:20:30 -0400
Subject: [PATCH] fix(pr-review): skip pull_request path for fork PRs
 (read-only token 403)

#1218 added a pull_request trigger, but fork PRs run with a read-only
GITHUB_TOKEN, so creating the 'OpenAB PR Review' status 403s and the run
fails (observed on fork PR #1190). Guard the job to run on pull_request
events only for same-repo PRs; forks continue to be handled by the cron
poller (which runs with full permissions). schedule/workflow_dispatch
always run.

Fixes the failing runs introduced by #1218.
---
 .github/workflows/pr-bot-review.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/pr-bot-review.yml b/.github/workflows/pr-bot-review.yml
index db7bcf835..d9c5b9ac1 100644
--- a/.github/workflows/pr-bot-review.yml
+++ b/.github/workflows/pr-bot-review.yml
@@ -20,6 +20,13 @@ jobs:
   poll-and-review:
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    # On pull_request events from forks, GITHUB_TOKEN is read-only, so writing
+    # the commit status 403s and the run fails. Skip the event-driven path for
+    # fork PRs — the scheduled cron (full permissions) still reviews them.
+    # schedule/workflow_dispatch always run; same-repo PRs run on the event.
+    if: >-
+      github.event_name != 'pull_request' ||
+      github.event.pull_request.head.repo.full_name == github.repository
     steps:
       - name: Find PRs needing review
         id: poll