jest-coverage-report-action icon indicating copy to clipboard operation
jest-coverage-report-action copied to clipboard

Published 20 hours ago verified publisher icon ArtiomTr

Add possibility to create annotations on PRs from forks without `checks: write` permission

Open HarelM opened this issue 1 year ago • 8 comments

Describe a bug

When using this action on a fork, according to the docs by using the markdown output, this action still fails.

Expected behavior

It should not fail, and hopefully report the coverage

Details

  • Action version: 2
  • OS, where your action is running (windows, linux): linux
  • https://github.com/maplibre/maplibre-gl-js/blob/57ab2c332837a78c038e58c3dfcf075f7dfc6697/.github/workflows/test-unit.yml#L34
  • Error:
  • https://github.com/maplibre/maplibre-gl-js/runs/8210019949?check_suite_focus=true image

Additional context

This is in continue to this issue which was resolved: #256

I'm guessing that there's a missing "if markdown down't publish results" or something similar...

HarelM avatar Sep 06 '22 16:09 HarelM

This is not the report part but the annotations which have a similar problem when it comes to permissions when running on a fork :-( Is it possible to try-catch it or skip this stage in case of a PR from a fork? While this is a very good way to visualize coverage it's better to have the coverage report as PR comment only than have nothing :-)

HarelM avatar Sep 06 '22 17:09 HarelM

Hello @HarelM :wave:,

Yeah, that's the issue with checks - looks like your GitHub token doesn't have enough permissions to publish checks.

Found this fix: https://github.com/alibaba/lowcode-engine/blob/7a0bab11aca6fa5856af894736222c6d14897467/.github/workflows/cov%20packages.yml#L13 So, for your case, fix could look like this:

annotations: ${{ github.event.pull_request.head.repo.full_name == github.event.repository.name && 'coverage' || 'none' }}

Looks weird because GitHub Actions doesn't support ternary operators.

I think that should work. Of course, another solution could be to create personal access token with "checks: write" permission and pass it as a github-token parameter, but that's not safe. Don't know how these privileges could be used in a malicious way, but I think GitHub has a good reason for limiting token privileges.

ArtiomTr avatar Sep 06 '22 18:09 ArtiomTr

Thanks!!! super useful. I'll try it out. If you find a way to publish annotations the same way that it is working for the commit message it would be great. If not, feel free to close this issue. Thanks a lot for all the hard work and the great support you give!

HarelM avatar Sep 06 '22 18:09 HarelM

Yeah, that's a good idea. I've found an action for publishing annotations from json file: annotations-action.

I will check if it works without "write" permissions. Can't promise that support for annotations output will be implemented soon, but I will post updates on this issue.

ArtiomTr avatar Sep 06 '22 19:09 ArtiomTr

Seems like the above code created an issue, not entirely sure why... image Can be seen here (probably not for long) https://github.com/maplibre/maplibre-gl-js/runs/8220657182?check_suite_focus=true

I'm currently reverting to annotations none, I hope it will allow me to see the coverage report at least... Let me know if there's anything else I can check...

HarelM avatar Sep 07 '22 14:09 HarelM

@HarelM 😢

I just found that there are two different events - pull_request and pull_request_target. pull_request runs on the head branch, and is considered "unsafe" - runs with read-only permissions. pull_request_target runs on the base branch, with write permissions. I will try to update the logic, to support the pull_request_target event.

ArtiomTr avatar Sep 07 '22 16:09 ArtiomTr

Bummer... Let me know if you figured out a solution. I'll be happy to test it! :-)

HarelM avatar Sep 08 '22 10:09 HarelM

Any update? I have the same issue: https://github.com/TokenScript/token-negotiator/actions/runs/3086784740/jobs/5008480454

image

abcfy2 avatar Sep 21 '22 02:09 abcfy2