How to allow testing from forks?

[luxas]

#32 illustrates that Github Actions doesn't "leak" secrets in this repo (for the testing bot) to PRs from forks. Let's figure out how to allow PRs to be tested with the bot secret enabled.

[michaelbeaumont]

Yeah we've struggled with this, it's a pretty nasty shortcoming IMO. Ultimately I suppose there needs to be a step built into github like "trust this PR". Nothing related appears on the roadmap unfortunately.

[stefanprodan]

This could help https://twitter.com/hamelhusain/status/1294307330096394241?s=21

[michaelbeaumont]

Nice, this actually solves the problems I was having straight away, I only wanted to merge PRs so didn't need the fork code at all. It looks like with pull_request_target the base branch workflow is run with base branch code. However, I think by writing a workflow that first, for example, checks for a comment or a label on the PR, i.e. the trust step, and then checks out the fork code, it can be used to run tests with secrets too.

[nab-gha]

From my reading of the docs pull_request_target seems to make it run the tests against head of the base repo rather than the PR? This prevents malicious code being run but does not test the PR changes, which seems to defeat the point of the workflow.