pyprimemesh icon indicating copy to clipboard operation
pyprimemesh copied to clipboard

Published 20 hours ago verified publisher icon ansys

Document forking contributions

Open waltersma opened this issue 3 years ago • 8 comments

waltersma avatar Oct 21 '22 16:10 waltersma

This is an issue at present. Forking contributions do not work unless you are an Ansys employee. Even then some actions fail I think. @MaxJPRey @RobPasMue @AlejandroFernandezLuces This is for the larger PyAnsys team I guess to answer.

I have seen that external Github workflows require maintainer approval to start run. Why then can the pipelines not check out a license if a maintainer has approved it?

ninad-kamat avatar Jul 18 '23 17:07 ninad-kamat

This is because only users with write access to the repo will have access to the secrets (AFAIK). Meaning that the workflow would have to be triggered by a member with write access.

I'd like to see an actual example though... do you have a link to one @ninad-kamat ?

RobPasMue avatar Jul 19 '23 08:07 RobPasMue

Yes, this is a gatekeeper, to make sure external contributors cannot access to secrets. We have the same scenario with PyAEDT. One of the contributors must approve the run and then the workflows will be executed as for any Ansys employee with write access.

MaxJPRey avatar Jul 19 '23 13:07 MaxJPRey

This is because only users with write access to the repo will have access to the secrets (AFAIK). Meaning that the workflow would have to be triggered by a member with write access.

I'd like to see an actual example though... do you have a link to one @ninad-kamat ?

@RobPasMue This was an old PR from an external contributor, which was just a simple doc change which could not go in as workflows failed. When the PR was put up, it requested approval for running the workflow and even after approval the doc pipeline failed to check out a license for the server.

#392

ninad-kamat avatar Jul 19 '23 15:07 ninad-kamat

Well, I can't see the logs anymore... Meaning that I cannot tell what's happenning. I had a look at your settings and all seems to be fine... I'd suggest that if it happens again, you ping us. Maybe it was a one-time thing but other repos are having external contributors and they work just fine.

RobPasMue avatar Jul 20 '23 06:07 RobPasMue

@RobPasMue Here is a more recent case. https://github.com/ansys/pyprimemesh/actions/runs/5545221827 https://github.com/ansys/pyprimemesh/actions/runs/5545221823

This one was a fork by an Ansys employee. The labeler and license checkout still failed for some reason. The work around I did was to merge the fork into my branch instead of main and then merge my branch in.

ninad-kamat avatar Jul 20 '23 14:07 ninad-kamat

Yep, I've been reading and it seems like secrets are not given access to PRs coming from forked repos whenever pull_request is used in the workflows. You can come around that limitation using pull_request_target - though it might be unsafe to do so.

For more information see: https://github.com/aws-actions/configure-aws-credentials/issues/416#issuecomment-1275264743 https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

These guys came with an original solution: https://github.com/orgs/community/discussions/26163

It consists on merging the outside collaborators PR to a repo's branch, and then opening a PR from it. They even show how to do it using bots and GitHub actions. Worth giving it a try.

RobPasMue avatar Jul 21 '23 06:07 RobPasMue