trigger-circleci-pipeline-action icon indicating copy to clipboard operation
trigger-circleci-pipeline-action copied to clipboard

Published 20 hours ago verified publisher icon CircleCI-Public

Request: `pull_request_target` support

Open carmocca opened this issue 2 years ago • 1 comments

Is there an existing issue that is already proposing this?

  • [X] I have searched the existing issues

Is your feature request related to a problem? Please describe it

This GitHub action requires access to a CCI_TOKEN. Because of GitHub's security, forks do not have access to secrets. So the CircleCI job will not trigger when the pull_request event is used:

Failed to trigger CircleCI Pipeline
  Error: Error: Request failed with status code 403
  Error: Request failed with status code 403

To resolve this, I thought of using the pull_request_target event, where CI runs with the base of the branch so secrets can be securely shared. Then checking out the HEAD of the PR to trick CircleCI into using this ref:

on:
- pull_request: 
+ pull_request_target:

jobs:
  # https://github.com/marketplace/actions/trigger-circleci-pipeline
  trigger-circleci:
    runs-on: ubuntu-latest
    steps:
+     - uses: actions/checkout@v3
+       with:
+         ref: ${{ github.event.pull_request.head.sha }}
      - uses: CircleCI-Public/[email protected]
        env:
          CCI_TOKEN: ${{ secrets.CCI_TOKEN }}

However, the triggering branch still points to master:

image

Describe the solution you'd like

Any suggestion on how to resolve this? I guess this logic would need to be adapted: https://github.com/CircleCI-Public/trigger-circleci-pipeline-action/blob/d8e1aed1a2524b8982a8557aaad544155c560d90/index.js#L17-L28

Teachability, documentation, adoption, migration strategy

An addition to the README would be sufficient.

What is the motivation / use case for changing the behavior?

It should work for forks.

carmocca avatar Sep 12 '22 15:09 carmocca

We have a very similar issue with Orb development, where we want people to send in PRs but we of course can not give access to secrets which publish orbs.

What we have done which seems to be the safest option, we review the PR manually and once satisfied, we checkout the branch and push it to a "local" branch on the origin.

It usually looks something like this:

gh pr checkout xx
git checkout -b test/pr-xx
git push --set-upstream origin test/pr-xx

KyleTryon avatar Mar 31 '23 14:03 KyleTryon