diff --git a/.github/workflows/supply-chain-pr.yml b/.github/workflows/supply-chain-pr.yml
index f4a8a3fa..1d3f60ac 100644
--- a/.github/workflows/supply-chain-pr.yml
+++ b/.github/workflows/supply-chain-pr.yml
@@ -381,9 +381,12 @@ jobs:
 
       - name: Comment on PR
         if: steps.set-target.outputs.image_name != '' && steps.pr-number.outputs.is_push != 'true' && steps.pr-number.outputs.pr_number != ''
+        continue-on-error: true
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
+          set -euo pipefail
+
           PR_NUMBER="${{ steps.pr-number.outputs.pr_number }}"
           COMPONENT_COUNT="${{ steps.sbom-count.outputs.component_count }}"
           CRITICAL_COUNT="${{ steps.vuln-summary.outputs.critical_count }}"
@@ -429,29 +432,38 @@ jobs:
           EOF
           )
 
-          # Find and update existing comment or create new one
-          COMMENT_ID=$(gh api \
+          # Fetch existing comments — skip gracefully on 403 / permission errors
+          COMMENTS_JSON=""
+          if ! COMMENTS_JSON=$(gh api \
             -H "Accept: application/vnd.github+json" \
             -H "X-GitHub-Api-Version: 2022-11-28" \
-            "/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \
-            --jq '.[] | select(.body | contains("Supply Chain Verification Results")) | .id' | head -1)
+            "/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" 2>/dev/null); then
+            echo "⚠️ Cannot access PR comments (likely token permissions / fork / event context). Skipping PR comment."
+            exit 0
+          fi
 
-          if [[ -n "${COMMENT_ID}" ]]; then
+          COMMENT_ID=$(echo "${COMMENTS_JSON}" | jq -r '.[] | select(.body | contains("Supply Chain Verification Results")) | .id' | head -1)
+
+          if [[ -n "${COMMENT_ID:-}" && "${COMMENT_ID}" != "null" ]]; then
             echo "📝 Updating existing comment..."
-            gh api \
-              --method PATCH \
+            if ! gh api --method PATCH \
               -H "Accept: application/vnd.github+json" \
               -H "X-GitHub-Api-Version: 2022-11-28" \
               "/repos/${{ github.repository }}/issues/comments/${COMMENT_ID}" \
-              -f body="${COMMENT_BODY}"
+              -f body="${COMMENT_BODY}"; then
+              echo "⚠️ Failed to update comment (permissions?). Skipping."
+              exit 0
+            fi
           else
             echo "📝 Creating new comment..."
-            gh api \
-              --method POST \
+            if ! gh api --method POST \
               -H "Accept: application/vnd.github+json" \
               -H "X-GitHub-Api-Version: 2022-11-28" \
               "/repos/${{ github.repository }}/issues/${PR_NUMBER}/comments" \
-              -f body="${COMMENT_BODY}"
+              -f body="${COMMENT_BODY}"; then
+              echo "⚠️ Failed to create comment (permissions?). Skipping."
+              exit 0
+            fi
           fi
 
           echo "✅ PR comment posted"