From 780e86c838a38224a3fdb2fd329a0d7839d3e90f Mon Sep 17 00:00:00 2001
From: "n8n-cat-bot[bot]" <283985454+n8n-cat-bot[bot]@users.noreply.github.com>
Date: Thu, 4 Jun 2026 10:34:34 +0100
Subject: [PATCH] ci: Skip grind workflow on fork PRs (#31717)

Co-authored-by: n8n-cat-bot[bot] <n8n-cat-bot[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/grind-changed-tests.yml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.github/workflows/grind-changed-tests.yml b/.github/workflows/grind-changed-tests.yml
index cb97abda783..c9471ffb378 100644
--- a/.github/workflows/grind-changed-tests.yml
+++ b/.github/workflows/grind-changed-tests.yml
@@ -12,6 +12,13 @@ concurrency:
 jobs:
   grind:
     name: Grind changed editor-ui tests
+    # Fork PRs get a read-only GITHUB_TOKEN, so posting the sticky comment
+    # 403s regardless of the `permissions` block below. Switching to
+    # `pull_request_target` would grant a write token but is unsafe here
+    # because grind executes the PR's changed test files. Skip forks; if we
+    # want fork coverage later, do it via a separate privileged
+    # `workflow_run` workflow that picks up an artifact from this one.
+    if: ${{ !github.event.pull_request.head.repo.fork }}
     runs-on: ${{ vars.RUNNER_PROVIDER == 'github' && 'ubuntu-latest' || 'blacksmith-4vcpu-ubuntu-2204' }}
     # Non-blocking: a failure here surfaces in the PR Checks tab as a soft
     # signal but never gates merge. Remove `continue-on-error` once we have