I found this yesterday when updating some internal documentation. Basically, the current configuration of the first checkout action has unexpected permissions side-effects.
The branch from a PR is copied into the main repository (sort of). This gives this repository access to that one branch on the fork, while the fork (being a fork of a private repo and thus itself private) remains inaccessible to these jobs. When you use the checkout action without specifying a repository and a ref, it will use the ref from the fork correctly.
PR incoming for a fix I tested the internal docs repository.
I found this yesterday when updating some internal documentation. Basically, the current configuration of the first
checkoutaction has unexpected permissions side-effects.The branch from a PR is copied into the main repository (sort of). This gives this repository access to that one branch on the fork, while the fork (being a fork of a private repo and thus itself private) remains inaccessible to these jobs. When you use the checkout action without specifying a repository and a ref, it will use the ref from the fork correctly.
PR incoming for a fix I tested the internal docs repository.