From eb159a8a566795ebc4fa327b1c0149db557f1a61 Mon Sep 17 00:00:00 2001 From: Anton Volkov Date: Mon, 11 May 2026 11:51:00 -0700 Subject: [PATCH 1/7] Fix fork PR detection in build-sphinx workflow The workflow incorrectly checked `base.repo.fork` (whether the target repository is a fork) instead of `head.repo.fork` (whether the source repository is a fork). This caused all PRs to IntelPython/dpnp to be treated as upstream PRs, including fork PRs, which led to 403 errors when trying to push to gh-pages. Changes: - Line 15: Changed base.repo.fork -> head.repo.fork in GH_EVENT_OPEN_PR_UPSTREAM - Line 238: Changed base.repo.fork -> head.repo.fork in clean job condition This bug was introduced in commit cb801da991e (PR #2146, Nov 2024). Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/build-sphinx.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-sphinx.yml b/.github/workflows/build-sphinx.yml index 9d67c9c66c9..4deb8b2a2ea 100644 --- a/.github/workflows/build-sphinx.yml +++ b/.github/workflows/build-sphinx.yml @@ -12,7 +12,7 @@ env: GH_BOT_NAME: 'github-actions[bot]' GH_BOT_EMAIL: 'github-actions[bot]@users.noreply.github.com' GH_EVENT_OPEN_PR_UPSTREAM: ${{ github.event_name == 'pull_request' && github.event.action != 'closed' && - github.event.pull_request && !github.event.pull_request.base.repo.fork }} + github.event.pull_request.head.repo && !github.event.pull_request.head.repo.fork }} GH_EVENT_PUSH_UPSTREAM: ${{ github.ref == 'refs/heads/master' && github.event_name == 'push' && github.event.ref == 'refs/heads/master' && github.event.repository && !github.event.repository.fork }} PUBLISH_DIR: doc/_build/html/ @@ -235,7 +235,7 @@ jobs: clean: if: | github.event_name == 'pull_request' && github.event.action == 'closed' && - github.event.pull_request && !github.event.pull_request.base.repo.fork + github.event.pull_request.head.repo && !github.event.pull_request.head.repo.fork needs: build-and-deploy From 9975677aec48dd1e68f17eacbeeb302a6c3df884 Mon Sep 17 00:00:00 2001 From: Anton Volkov Date: Mon, 11 May 2026 11:51:45 -0700 Subject: [PATCH 2/7] Add fork PR detection and artifact upload Fork PRs cannot push to gh-pages due to restricted permissions, which causes 403 errors. This commit adds logic to detect fork PRs and handle them differently: - Added "Check if fork PR" step to detect fork PRs - Added "Upload docs artifact" step to save built docs as artifacts for fork PRs - Modified "Publish pull-request docs" to skip fork PRs Fork PRs will now pass the workflow by uploading artifacts instead of attempting to publish to gh-pages. Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/build-sphinx.yml | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-sphinx.yml b/.github/workflows/build-sphinx.yml index 4deb8b2a2ea..3a6171162e0 100644 --- a/.github/workflows/build-sphinx.yml +++ b/.github/workflows/build-sphinx.yml @@ -191,6 +191,26 @@ jobs: - name: Copy backend docs run: cp -r dpnp/backend/doc/html ${{ env.PUBLISH_DIR }}/backend_doc + # Detect if this is a fork PR + - name: Check if fork PR + id: check_fork + run: | + IS_FORK="false" + if [ "${{ github.event_name }}" == "pull_request" ] && [ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]; then + IS_FORK="true" + fi + echo "is_fork=$IS_FORK" >> "$GITHUB_OUTPUT" + echo "Is fork PR: $IS_FORK" + + # Upload artifact for fork PRs + - name: Upload docs artifact (Fork PRs) + if: steps.check_fork.outputs.is_fork == 'true' && github.event.action != 'closed' + uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 + with: + name: pr-${{ github.event.number }}-docs + path: ${{ env.PUBLISH_DIR }} + retention-days: 30 + # The step is only used to build docs while pushing a PR to "master" - name: Deploy docs if: env.GH_EVENT_PUSH_UPSTREAM == 'true' @@ -206,7 +226,7 @@ jobs: # The step is only used to build docs while pushing to PR branch - name: Publish pull-request docs - if: env.GH_EVENT_OPEN_PR_UPSTREAM == 'true' + if: env.GH_EVENT_OPEN_PR_UPSTREAM == 'true' && steps.check_fork.outputs.is_fork == 'false' uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} From e85f3ab5638cfbc24efb7ae91437b0159ea8c8cb Mon Sep 17 00:00:00 2001 From: Anton Volkov Date: Mon, 11 May 2026 11:52:09 -0700 Subject: [PATCH 3/7] Add PR comments for documentation preview Added unified comment step that posts different messages based on PR type: - Fork PRs: Get detailed instructions for downloading and viewing docs artifact, including both gh CLI method and manual download steps - Upstream PRs: Get direct URL to published docs on GitHub Pages Both comment types use the same message-id so they update on subsequent pushes to the PR. Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/build-sphinx.yml | 53 ++++++++++++++++++++++++++---- 1 file changed, 47 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-sphinx.yml b/.github/workflows/build-sphinx.yml index 3a6171162e0..6dfbe0fd100 100644 --- a/.github/workflows/build-sphinx.yml +++ b/.github/workflows/build-sphinx.yml @@ -239,16 +239,57 @@ jobs: user_name: ${{ env.GH_BOT_NAME }} user_email: ${{ env.GH_BOT_EMAIL }} - # The step is only used to build docs while pushing to PR branch - - name: Comment with URL to published pull-request docs - if: env.GH_EVENT_OPEN_PR_UPSTREAM == 'true' + # Prepare documentation preview comment based on PR type + - name: Prepare docs preview comment + if: github.event_name == 'pull_request' && github.event.action != 'closed' + id: docs_comment env: PR_NUM: ${{ github.event.number }} + IS_FORK: ${{ steps.check_fork.outputs.is_fork }} + run: | + if [ "$IS_FORK" == "true" ]; then + # Fork PR - provide artifact download instructions + cat << 'EOF' >> "$GITHUB_OUTPUT" + message< + Why can't fork PRs publish automatically? + + Fork PRs run with restricted permissions to prevent malicious code from modifying the repository or accessing secrets. This is a GitHub security feature to protect open source projects. + + COMMENT_EOF + EOF + else + # Upstream PR - provide direct URL + cat << 'EOF' >> "$GITHUB_OUTPUT" + message< Date: Mon, 11 May 2026 11:52:30 -0700 Subject: [PATCH 4/7] Remove redundant GH_EVENT_OPEN_PR_UPSTREAM variable The GH_EVENT_OPEN_PR_UPSTREAM environment variable is no longer needed since we now explicitly check fork status with steps.check_fork.outputs.is_fork. Replaced with inline conditions that are more explicit and easier to read: - github.event_name == 'pull_request' - github.event.action != 'closed' - steps.check_fork.outputs.is_fork == 'false' Kept GH_EVENT_PUSH_UPSTREAM as it's still used for push-to-master deployments. Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/build-sphinx.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/build-sphinx.yml b/.github/workflows/build-sphinx.yml index 6dfbe0fd100..86ba9c9ad23 100644 --- a/.github/workflows/build-sphinx.yml +++ b/.github/workflows/build-sphinx.yml @@ -11,8 +11,6 @@ permissions: read-all env: GH_BOT_NAME: 'github-actions[bot]' GH_BOT_EMAIL: 'github-actions[bot]@users.noreply.github.com' - GH_EVENT_OPEN_PR_UPSTREAM: ${{ github.event_name == 'pull_request' && github.event.action != 'closed' && - github.event.pull_request.head.repo && !github.event.pull_request.head.repo.fork }} GH_EVENT_PUSH_UPSTREAM: ${{ github.ref == 'refs/heads/master' && github.event_name == 'push' && github.event.ref == 'refs/heads/master' && github.event.repository && !github.event.repository.fork }} PUBLISH_DIR: doc/_build/html/ @@ -226,7 +224,7 @@ jobs: # The step is only used to build docs while pushing to PR branch - name: Publish pull-request docs - if: env.GH_EVENT_OPEN_PR_UPSTREAM == 'true' && steps.check_fork.outputs.is_fork == 'false' + if: github.event_name == 'pull_request' && github.event.action != 'closed' && steps.check_fork.outputs.is_fork == 'false' uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} From 56fe652093b14d040185e3662ee51acd6811af23 Mon Sep 17 00:00:00 2001 From: Anton Volkov Date: Mon, 11 May 2026 14:25:29 -0700 Subject: [PATCH 5/7] Skip PR comments for fork PRs due to token restrictions Fork PRs run with read-only GITHUB_TOKEN and cannot post comments, causing "Resource not accessible by integration" errors. Changes: - Added condition to skip comment step for fork PRs - Fork PR artifacts remain accessible via workflow run's Artifacts section - Added documentation link explaining the GitHub security restriction Reference: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/build-sphinx.yml | 55 +++++------------------------- 1 file changed, 8 insertions(+), 47 deletions(-) diff --git a/.github/workflows/build-sphinx.yml b/.github/workflows/build-sphinx.yml index 86ba9c9ad23..b0aef8c9377 100644 --- a/.github/workflows/build-sphinx.yml +++ b/.github/workflows/build-sphinx.yml @@ -237,57 +237,18 @@ jobs: user_name: ${{ env.GH_BOT_NAME }} user_email: ${{ env.GH_BOT_EMAIL }} - # Prepare documentation preview comment based on PR type - - name: Prepare docs preview comment - if: github.event_name == 'pull_request' && github.event.action != 'closed' - id: docs_comment + # The step is only used to build docs while pushing to PR branch + # Note: Fork PRs have read-only GITHUB_TOKEN and cannot post comments + # See: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories + - name: Comment with URL to published pull-request docs + if: github.event_name == 'pull_request' && github.event.action != 'closed' && steps.check_fork.outputs.is_fork == 'false' env: PR_NUM: ${{ github.event.number }} - IS_FORK: ${{ steps.check_fork.outputs.is_fork }} - run: | - if [ "$IS_FORK" == "true" ]; then - # Fork PR - provide artifact download instructions - cat << 'EOF' >> "$GITHUB_OUTPUT" - message< - Why can't fork PRs publish automatically? - - Fork PRs run with restricted permissions to prevent malicious code from modifying the repository or accessing secrets. This is a GitHub security feature to protect open source projects. - - COMMENT_EOF - EOF - else - # Upstream PR - provide direct URL - cat << 'EOF' >> "$GITHUB_OUTPUT" - message< Date: Mon, 11 May 2026 15:02:16 -0700 Subject: [PATCH 6/7] Add GH_EVENT_PR_OPEN environment variable for cleaner conditions Replaced repeated condition `github.event_name == 'pull_request' && github.event.action != 'closed'` with a single environment variable `GH_EVENT_PR_OPEN` for better readability and maintainability. Updated 3 steps to use the new variable: - Upload docs artifact (Fork PRs) - Publish pull-request docs - Comment with URL to published pull-request docs Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/build-sphinx.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-sphinx.yml b/.github/workflows/build-sphinx.yml index b0aef8c9377..9048ce7af05 100644 --- a/.github/workflows/build-sphinx.yml +++ b/.github/workflows/build-sphinx.yml @@ -13,6 +13,7 @@ env: GH_BOT_EMAIL: 'github-actions[bot]@users.noreply.github.com' GH_EVENT_PUSH_UPSTREAM: ${{ github.ref == 'refs/heads/master' && github.event_name == 'push' && github.event.ref == 'refs/heads/master' && github.event.repository && !github.event.repository.fork }} + GH_EVENT_PR_OPEN: ${{ github.event_name == 'pull_request' && github.event.action != 'closed' }} PUBLISH_DIR: doc/_build/html/ defaults: @@ -202,7 +203,7 @@ jobs: # Upload artifact for fork PRs - name: Upload docs artifact (Fork PRs) - if: steps.check_fork.outputs.is_fork == 'true' && github.event.action != 'closed' + if: env.GH_EVENT_PR_OPEN == 'true' && steps.check_fork.outputs.is_fork == 'true' uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: name: pr-${{ github.event.number }}-docs @@ -224,7 +225,7 @@ jobs: # The step is only used to build docs while pushing to PR branch - name: Publish pull-request docs - if: github.event_name == 'pull_request' && github.event.action != 'closed' && steps.check_fork.outputs.is_fork == 'false' + if: env.GH_EVENT_PR_OPEN == 'true' && steps.check_fork.outputs.is_fork == 'false' uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} @@ -241,7 +242,7 @@ jobs: # Note: Fork PRs have read-only GITHUB_TOKEN and cannot post comments # See: https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflows-in-forked-repositories - name: Comment with URL to published pull-request docs - if: github.event_name == 'pull_request' && github.event.action != 'closed' && steps.check_fork.outputs.is_fork == 'false' + if: env.GH_EVENT_PR_OPEN == 'true' && steps.check_fork.outputs.is_fork == 'false' env: PR_NUM: ${{ github.event.number }} uses: mshick/add-pr-comment@8e4927817251f1ff60c001f04568532b38e0b4a0 # v3.11.0.8.3.11.0 From 05cc1cb6a0d89a808967a267f132614ead9606c5 Mon Sep 17 00:00:00 2001 From: Anton Volkov Date: Mon, 11 May 2026 15:13:26 -0700 Subject: [PATCH 7/7] Add to the changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 752bf2ad4b3..72518bf65f0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 * Fixed incorrect in-place advanced indexing for 4D arrays when using `range` or `list` as index keys [#2872](https://github.com/IntelPython/dpnp/pull/2872) * Fixed `conda build` command syntax in GitHub workflows and documentation to use `conda-build` [#2888](https://github.com/IntelPython/dpnp/pull/2888) +* Fixed fork PR documentation workflow failures by implementing conditional publishing strategy: upstream PRs publish to GitHub Pages with comment, fork PRs upload artifacts [#2910](https://github.com/IntelPython/dpnp/pull/2910) ### Security