-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Need to use GITHUB_TOKEN for new public actions beta #11
Comments
+1 having trouble here too |
Hi, I maintain |
Hi @gudmdharalds , The issue is that Github Actions only allows access to the |
I understand. So skipping this request would solve it? Are there any other issues you think? |
I'm unsure whether other accesses of the API will be similarly restricted. I believe the |
All GitHub secret keys (including custom ones) are withheld from forked repos by design for security. But yeah it’s a bummer in these cases. |
Hi @diddledan @sc0ttkclark thanks for reporting this issue and discussing it. There have been multiple GitHub support tickets as well as lots of proposals to get a secure way to share trusted secrets or some similar solutions to get linting, code coverage and other basic GitHub actions to work with forked repos. Unfortunately for us there is no concrete solution yet. Please refer: Testing available optionsTaking reference of GitHub actions PR event for forked repos and the fact that I then made a fork of Outcome from testing
Exploring possibilities
@gudmdharalds what are your thoughts on option 1? Is it a viable option? If you see any possibility in that, let me know. I would love to contribute to |
Hi, Sorry for the delay, I have been busy with other things. I will look into this a bit more and reply in a few days. Thanks and sorry for the inconvenience. |
Any update on this? Can't use GH_BOT_TOKEN for forked pull request @gudmdharalds @mrrobot47 |
Hi all, My apologies for the very late follow up here. I've been looking into this today, and I think we should be able to make adjustments. First, regarding:
This should be possible, maybe this would be triggered via Second, regarding:
This should be possible, maybe using the same option as above. Would this have to be universal, or just with particular Pull-Requests? If it is particular Pull-Requests, how can we detect this? |
I am not sure I understand this fully but I am running into the following:
Am I understanding it correctly that this entire setup can only be used for commits that are not from forks? I am a bit surprised about this. Can't be that a workflow basically steps the most powerful and core feature of GitHub from working, which is actual forking > committing back to upstream Is there some solution to this? Am I misunderstanding the issue? Thank you! |
For security reasons, secrets like The only option for forked repos is option 1 under |
@gudmdharalds thanks a lot for your reply and apologies from my end as well for the late reply. For the past year, I have not been very active on open source due to personal reasons.
Perfect, this will work. If possible, I will work on this and create a PR when time permits.
Agree.
This will be just in case of Pull-Requests which come from forked repositories. We can detect if a PR is from fork or not via |
Thanks @mrrobot47 for your reply. I just cannot believe that GitHub Actions in general cannot be used - it is the core of GitHub to allow PR from forked repos. No, more correct: It is required to fork to make a PR unless you have direct access to a project! So we are all doing something wrong here. It cannot be that entire scans (like this one) are plain simple unusable. I am thinking - should we allow PR from Forks into a specific branch (say Would this work? I truly cannot believe that possibly thousands of actions simply fail because of a comment not being "postable"? Thank you for your input. |
Maybe if the action itself throws a failure with all the lines/messages at the end, if no token available. That way the action still runs on external PRs and we can depend on the pass/fail metric of that as a PR merge requirement still. |
@sc0ttkclark agree with you, that is exactly what is proposed under option 1 of It is yet to be implemented. Please refer this comment |
Related to #10, the new yml-based actions only expose
GITHUB_TOKEN
to forked repositories (https://help.github.com/en/articles/virtual-environments-for-github-actions), and therefore pull-requests. The old non-yml actions will be disabled after September 30, 2019 making this a required change.The problem: https://github.com/automattic/vip-go-ci does not work with
GITHUB_TOKEN
, even when we assign it to theGH_BOT_TOKEN
environment variable, because it tries to access the/user
API endpoint with the token and fails because it does not have permission for that request.The text was updated successfully, but these errors were encountered: