ubuntu-workflow comment on pull request fails

[jsoref]

Describe the bug

flank/.github/workflows/ubuntu_workflow.yml

Lines 1 to 9 in d2859fb

	name: ubuntu-workflow
	on:
	push:
	branches:
	- master
	pull_request:
	branches:
	- '*'

flank/.github/workflows/ubuntu_workflow.yml

Lines 53 to 56 in d2859fb

	publish-scan-url:
	needs: [ build ]
	permissions:
	pull-requests: write # to allow creating or updating a comment

flank/.github/workflows/ubuntu_workflow.yml

Lines 81 to 89 in d2859fb

	- name: Create comment
	if: ${{ steps.fc.outputs.comment-id == 0 }}
	uses: peter-evans/create-or-update-comment@v4
	with:
	issue-number: ${{ github.event.pull_request.number }}
	body: |
	**Timestamp:** ${{ steps.current-time.outputs.formattedTime }}
	**Buildscan url for ubuntu-workflow run [${{ github.run_id }}](https://github.com/Flank/flank/actions/runs/${{ github.run_id }})**
	${{ needs.build.outputs.build-scan-url }}

https://github.com/Flank/flank/actions/runs/11876421725/job/33212846512#step:1:18

GITHUB_TOKEN Permissions
  Metadata: read
  PullRequests: read

https://github.com/Flank/flank/actions/runs/11876421725/job/33212846512#step:6:52

    data: {
      message: 'Resource not accessible by integration',
      documentation_url: 'https://docs.github.com/rest/issues/comments#create-an-issue-comment',
      status: '403'
    }

To Reproduce

1. Create Remove macos_workflow #2542
2. Have someone (@kaibolay) approve the workflow action https://github.com/Flank/flank/actions/runs/11876421725?pr=2542
3. See that the workflow failed https://github.com/Flank/flank/actions/runs/11876421725/job/33212846512?pr=2542

Expected behavior

Creating PRs from forks should not result in ❌ due to things like this.

Often it's possible to use GITHUB_STEP_SUMMARY instead of comments, this is safe and easy to do.

If comments are needed, it's possible to use some other techniques (historically, I'd use on: pull_request_target, but that requires being very careful with use of actions/checkout and two distinct job phases one that checks out the code under test and one that checks out the trusted code for reporting and has more permissions).

Details (please complete the following information):

Additional context

[jsoref]

When someone looks at this workflow, they should also address https://github.com/Flank/flank/actions/runs/11876576418#summary-33215677929

Deprecation warnings

This job uses deprecated functionality from the gradle/gradle-build-action action. Follow the links for upgrade details.

• The action `gradle/gradle-build-action` has been replaced by `gradle/actions/setup-gradle`
• Using the action to execute Gradle via the `arguments` parameter is deprecated

[Lyokone]

Thanks, looking into this :)