Warn about the GitHub tokens on pull_request events

The action will cause an "Error: HttpError: Resource not accessible by integration" if run on PR on a forked repository using the pull_request event.
actions · Jan 25, 2023 · c871ba1 · c871ba1
1 parent b435530
commit c871ba1
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -122,6 +122,17 @@ Various inputs are defined in [`action.yml`](action.yml) to let you configure th
 | `configuration-path` | The path to the label configuration file | `.github/labeler.yml` |
 | `sync-labels` | Whether or not to remove labels when matching files are reverted or no longer changed by the PR | `false`
 
+# Permissions
+
+Write permission on `pull-request` is needed to add labels to pull requests,
+but when an action is run for a pull request on on a forked repository, GitHub
+tokens on *pull_request* events are only given [at most read
+access](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token).
+If you are seeing `Error: HttpError: Resource not accessible by integration` then change
+the `on:` section to `pull_request_target` which allows write access safely by
+changing the [context of the
+action](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target).
+
 # Contributions
 
 Contributions are welcome! See the [Contributor's Guide](CONTRIBUTING.md).