Skip to content

[ci] commented-triggered workflows broken: access forbidden for long-lived tokens #7012

New issue
New issue
Open
#7035
Open
[ci] commented-triggered workflows broken: access forbidden for long-lived tokens#7012
#7035
Assignees
jameslamb
Labels
bugmaintenance
@jameslamb

Description

@jameslamb
jameslamb
opened on Aug 28, 2025

Description

I just tried to trigger the valgrind job:

#7008 (comment)

That was unsuccesful, like this:

{
"message": "The 'Microsoft Open Source' enterprise forbids access via a personal access tokens (classic) if the token's lifetime is greater than 90 days. Please adjust your token's lifetime at the following URL: https://github.com/settings/tokens/2096710460",
"documentation_url": "https://docs.github.com/rest/repos/repos#create-a-repository-dispatch-event",
"status": "403"
}

(build link)

That should be fixed

Reproducible example

Anyone with Write access could try a comment like /gha run r-valgrind and will see this.

Environment info

N/A

Additional Comments

I see 2 bugs here:

  1. the permissions issue
  2. the request to the GitHub API returned a 4xx response code, but the job was marked "successful" (✅ )

For the permissions issue, we should explore removing use of this long-lived personal access token:

LightGBM/.github/workflows/r_valgrind.yml

Line 14 in 0ffd2a3

SECRETS_WORKFLOW: ${{ secrets.WORKFLOW }}

And instead using the short-lived one in the github context, like:

env:
    GH_TOKEN: ${{ github.token }}

docs: https://docs.github.com/en/actions/reference/workflows-and-actions/contexts#github-context

Metadata

Metadata

Assignees

Labels

bugmaintenance

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions