ci(perf): post sticky comment for fork PRs via workflow_run#186
Merged
JacksonWeber merged 2 commits intoJun 4, 2026
Merged
Conversation
The Performance workflow runs in the PR context, which only grants a read-only GITHUB_TOKEN for pull requests from forks. As a result the "Post sticky PR comment" step was gated off for cross-repo PRs and the perf comparison never appeared on those PRs (e.g. microsoft#182). Move the comment posting into a new "Performance Comment" workflow triggered by workflow_run, which executes in the base repository context with pull-requests: write regardless of the PR's origin. The benchmarking workflow now records the PR number in pr-number.txt and uploads it alongside report.md so the follow-up workflow can target the correct PR. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
JacksonWeber
requested review from
MSNev,
hectorhdzg,
jeremydvoss,
lzchen and
rads-1996
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the CI performance reporting so that perf comparison results can be posted as a sticky PR comment even when the pull request originates from a fork (where the GITHUB_TOKEN is read-only in the PR workflow context). It does so by moving the commenting step into a separate workflow_run workflow that runs in the base repository context.
Changes:
- Adds a new
Performance Commentworkflow triggered byworkflow_runto post the sticky perf comparison comment withpull-requests: write. - Updates
performance.ymlto record the PR number into an artifact (pr-number.txt) and removes the in-workflow sticky comment step. - Adjusts artifact upload behavior to tolerate missing files (
if-no-files-found: ignore).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/performance.yml | Uploads pr-number.txt alongside perf artifacts and removes direct PR commenting from the PR-context workflow. |
| .github/workflows/performance-comment.yml | New base-context workflow_run workflow that downloads perf artifacts and posts the sticky PR comment. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Address Copilot review feedback on microsoft#186: * Treat the perf-results artifact as untrusted. Check out the base repo and regenerate report.md here from base.json/pr.json using the base-branch copy of perf.compare so the markdown posted under the writable GITHUB_TOKEN is never attacker-supplied by a fork PR. * Make actions/download-artifact non-fatal (continue-on-error) and gate every subsequent step on the download outcome, so a cancelled or failed upstream Performance run skips cleanly instead of marking the comment job as failed. * Validate that pr-number.txt contains a positive integer via regex before passing it to the sticky-comment action; skip cleanly if not. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
rads-1996
approved these changes
Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The
Performanceworkflow runs in the PR's context, which means theGITHUB_TOKENis read-only for pull requests opened from forks. ThePost sticky PR commentstep is therefore gated off whenevergithub.event.pull_request.head.repo.full_name != github.repository, so the perf comparison never appears on cross-repository PRs (e.g. #182).What
performance-comment.ymlworkflow triggered byworkflow_runofPerformance. Becauseworkflow_runruns in the base repository's context, it haspull-requests: writeeven for fork PRs.performance.ymlnow records the PR number inpr-number.txtand uploads it alongsidereport.md. The follow-up workflow downloads theperf-resultsartifact and uses that PR number to post the sticky comment withmarocchino/sticky-pull-request-comment@v2.Post sticky PR commentstep (and its fork gate) fromperformance.ymlso we don't double-post for same-repo PRs.Notes
workflow_runjobs execute against the base branch's workflow definition, so this is safe even though the upstream perf job runs untrusted PR code — the comment job only consumes the produced artifact.if-no-files-found: ignorekeeps the artifact upload from failing if an earlier step crashed before producingreport.md; in that case the comment job sees an empty/missing report and skips posting rather than erroring.