Provide a better troubleshooting message when used from a 3P PR #202
Description
Per conversation in python-pillow/Pillow#7616, there's an edge case we can provide a more descriptive error on: if the publishing workflow uses pull_request events and the event comes from a branch on a fork (rather than the upstream repo itself), then GitHub won't grant the id-token: write permission even if it's listed explicitly.
There's no workaround for this (and there can't be, without breaking GitHub's fork security model), but we can at least improve the error message in this case by detecting the following conditions:
- The workflow's event is
pull_request - The pull request is coming from a fork (see https://github.com/orgs/community/discussions/25217 for methods)
When both of these are true, we could render a modified error message, like:
The pull request that triggered this workflow originated from a fork, which means that it doesn't have access to the `id-token: write` permission used by Trusted Publishing.
GitHub does not have a workaround for this. Consider using a different event instead (such as release or tag creation), or restricting this workflow's runs to first-party pull requests.