Merge pull request #44 from exoego/simplify

Document how to use this action on PRs from forks

.github/workflows/ci.yml

@@ -8,7 +8,6 @@ on:
     branches: [main]
   pull_request_target:
     branches: [main]
-    types: [opened, edited, synchronize, reopened]
 
 permissions:
   contents: read # for checkout repository
@@ -20,8 +19,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 5
     if: |
-      (github.event.pull_request.head.repo.fork == true && github.event_name == 'pull_request_target') ||
-      (github.event.pull_request.head.repo.fork != true && github.event_name != 'pull_request_target')
+      ( github.event.pull_request.head.repo.fork && github.event_name == 'pull_request_target') ||
+      (!github.event.pull_request.head.repo.fork && github.event_name != 'pull_request_target')
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4

README.md

@@ -11,15 +11,32 @@ Analyzes each PR's impact on esbuild bundle size
 ### GitHub Action setup
 
 ```yaml
+name: esbuild-bundle-analyzer
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  ## Uncomment the following `pull_request_target` if your repository may receive PRs from forks.
+  ## Because `Pull_request_target` event should be used on PRs from forks due to GITHUB_TOKEN permission limitations.
+  #pull_request_target:
+  #  branches: [main]
+
 permissions:
   contents: read # for checkout repository
   actions: read # for fetching base branch bundle stats
   pull-requests: write # for comments
 
 jobs:
-  build:
+  analyze:
     runs-on: ubuntu-latest
     timeout-minutes: 5
+    ## Uncomment the following `if` if your repository may receive PRs from forks.
+    ## Because `Pull_request_target` event should be used on PRs from forks due to GITHUB_TOKEN permission limitations.
+    #if: |
+    #  ( github.event.pull_request.head.repo.fork && github.event_name == 'pull_request_target') ||
+    #  (!github.event.pull_request.head.repo.fork && github.event_name != 'pull_request_target')
     steps:
     # Ensure you build your project before running this action
     # For example,
@@ -41,6 +58,13 @@ jobs:
         metafiles: "out/meta.json"
 ```
 
+### 
+
+If your repository is public, you need to use `pull_request_target` event to run this action on PRs from forks.
+
+
+
+
 ### esbuild setup
 
 You need to [write ***meta file*** yourself after build](https://esbuild.github.io/api/#metafile).
@@ -88,6 +112,11 @@ permissions:
   pull-requests: write # for comments
 ```
 
+This action uses the `GITHUB_TOKEN` provided by GitHub Actions.
+Due to security limitation, `GITHUB_TOKEN` is not granted to write comments on PRs from forks on `pull_request` event.
+Instead, [`pull_request_target` event should be used on PRs from forks to overcome this limitation](https://docs.github.com/en/actions/security-guides/automatic-token-authentication).
+Please check the above setup example to use this action with `pull_request_target`.
+
 ## Action inputs
 
 | Name                      | Default                               | Description                                                                                                      |