danger-js
danger-js copied to clipboard
danger
Github Action fails when PR comes from forked repo
Problem
Danger crashes when I accept a PR from the fork: https://github.com/sobolevn/itmo-2019/pull/18/checks?check_run_id=222332195
But, works well when I create PRs inside the repo: https://github.com/sobolevn/itmo-2019/pulls?q=is%3Apr+is%3Aclosed (just an example).
My configuration:
name: comments
on: [pull_request]
jobs:
danger:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: Danger JS Action
uses: danger/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Link: https://github.com/sobolevn/itmo-2019/blob/master/.github/workflows/review.yml
Output
Danger JS Action5s
##[error]Docker run failed with exit code 1
Run danger/[email protected]
env:
GITHUB_TOKEN: ***
/usr/bin/docker run --name df7dcddf0fc01b57b4276b942607159610154_53cda2 --label 0df7dc --workdir /github/workspace --rm -e GITHUB_TOKEN -e HOME -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/itmo-2019/itmo-2019":"/github/workspace" 0df7dc:ddf0fc01b57b4276b942607159610154
Failing the build, there is 1 fail.
Request failed [403]: https://api.github.com/repos/sobolevn/itmo-2019/issues/18/comments
Response: {
"message": "Resource not accessible by integration",
"documentation_url": "https://developer.github.com/v3/issues/comments/#create-a-comment"
}
Feedback: undefined
##[error]Docker run failed with exit code 1
Image (in case output it is easier to read):
Possible reason
I guess that this is possibly related with how GITHUB_TOKEN works for forked repos: https://help.github.com/en/articles/virtual-environments-for-github-actions#github_token-secret
And I have no ideas, how to fix it. [Official docs] do not say much about this problem: https://danger.systems/js/guides/getting_started.html#setting-up-danger-to-run-on-your-ci Moreover, I cannot find any other real-world usage of danger-js as an action. So, I cannot verify that it also happens to other users as well.
Any ideas where to look?
Update: something happened and the next push was successful:
/usr/bin/docker run --name df7dc6a609fa1e95f49a1a8cfbf0ea53375c7_04d9b2 --label 0df7dc --workdir /github/workspace --rm -e GITHUB_TOKEN -e HOME -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/itmo-2019/itmo-2019":"/github/workspace" 0df7dc:6a609fa1e95f49a1a8cfbf0ea53375c7
Found no issues or messages from Danger. Removing any existing messages on GitHub.
Link: https://github.com/sobolevn/itmo-2019/pull/19/checks?check_run_id=222337878
This happened again: https://github.com/sobolevn/itmo-2019/pull/24/checks?check_run_id=222778615
I've heard reports of issues when the other person doesn't have access to GitHub Actions yet, could be that?
a solution here might be to report the status using the github actions tooling when running in a github action (there is an env var to detect that) instead of submitting a comment and a commit status. This way, the github API would be used only in read-only mode.
Good point, Danger supports both the checks api and the comment API - but it looks like both are read-only in that list. Are there other useful feedback mechanisms for an action?
I think that just dumping everything into std.out would be at least something. It would be good enough for me.
From the docs about secrets in GitHub:
Secrets are not passed to the runner when a workflow is triggered from a forked repository.
More details, you can reference here: https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#using-encrypted-secrets-in-a-workflow
IMO we should be recommending people use their own GitHub auth tokens, rather than the provided GH one
@orta is it safe? I have seen several article that do not recommend using personal tokens. Because they can be leaked.
It's always been the recommended way to do it: https://danger.systems/js/guides/getting_started.html#creating-a-bot-account-for-danger-to-use
It's safe for OSS, as long as you don't give the bot access to anything
Well, there should be a mode where danger-js reports things using the Github Actions reporting system (sending some logs to the output of the script, with some special formats in it to achieve some actions like adding annotations, if needed) instead of adding a comment. Then, it would be usable in actions directly. Github Actions already have a reporting UI integrated in Gtihub.
I had a play around, and it's relatively straightforward to understand whether Danger is running on a PR originated from a fork.
I came up with this simple dangerfile.ts:
const headRepoName = danger.github.pr.head.repo.full_name
const baseRepoName = danger.github.pr.base.repo.full_name
if headRepoName != baseRepoName {
// This is shown inline in the output
console.log("\033[1;31mRunning from a forked repo. Danger won't be able to post comments on the main repo unless GitHub Actions are enabled on the fork, too.\033[0m")
// This is shown inline in the output and also integrates with the GitHub
// Action reporting UI and produces a warning
console.log("##[warning]Running from a forked repo. Danger won't be able to post comments on the main repo unless GitHub Actions are enabled on the fork, too.\033[0m")
}
I guess logic could be added somewhere that, if it detects that the CI source is GitHub Actions and the PR is from a fork posts this comments.
Or, even better, when the API call to post a comment gets a 403 with message "Resource not accessible by integration", checks the above conditions and post the warning. In this case, one could use ##[error] in the log and actually make the build fail. I'm not sure how to make the build fail, just logging ##[error] is not enough. Maybe a throw?
Also worth trying to use the Danger checks implementation on a forked PR as @stof mentioned
Also worth trying to use the Danger checks implementation on a forked PR as @stof mentioned
I tried it with this commit, same result, see the build here.
Request failed [403]: https://api.github.com/repos/wordpress-mobile/WordPress-iOS/check-runs
Response: {
"message": "Resource not accessible by integration",
"documentation_url": "https://developer.github.com/v3/checks/runs/#create-a-check-run"
}
I also tried to use a custom public_repo token, as per the docs.
A PR from the base repo works as expected. A PR from a forked repo fails saying there's no token. My guess would be that despite running on the base repo, it accesses the environment of the forked repo, where no token exists.
I also found this as an issue on my org. I have also tried to use DANGER_GITHUB_APP_ID, DANGER_GITHUB_APP_PRIVATE_SIGNING_KEY, and DANGER_GITHUB_APP_INSTALL_ID from around 2020 (#594), but it still isn't working.
It seems that there are #1125 and #1126. It's days ago, but hopefully it got implemented soon.
Anyone have any success working around this issue?
I'd love to use Danger for the Zed repo, but not being able to run on forks is a huge blocker for us.
Big fan of Zed, but the issue here is "a CI security thing" (in this case how GitHub CI works) which we can't really address inside danger - for DefinitelyTyped, a very non-trivial repo we do use the advice from this comment: https://github.com/danger/danger-js/issues/918#issuecomment-606682743
Big fan of Zed, but the issue here is "a CI security thing" (in this case how GitHub CI works) which we can't really address inside danger - for DefinitelyTyped, a very non-trivial repo we do use the advice from this comment: #918 (comment)
Gotcha. I suppose if it has been fine to have a token out in the open like that for DefinitelyTyped it's probably fine for us (even if it does make my skin crawl 😅).
I guess another option would be to run a small proxying service that forwards to the GitHub API and attaches the access token at that point?
I guess another option would be to run a small proxying service that forwards to the GitHub API and attaches the access token at that point?
I ended up pursuing this route.
Here's the solution I came up with: https://github.com/maxdeviant/danger-proxy
If anyone else finds the proxy useful, do let me know 😄