pr-preview-action icon indicating copy to clipboard operation
pr-preview-action copied to clipboard

Published 20 hours ago verified publisher icon rossjrw

Fail gracefully when run from fork

Open rossjrw opened this issue 1 year ago • 3 comments

Running this action from a fork is not currently supported. Right now, behaviour when running from a fork is undefined; I don't remember exactly what happens, I think it just errors and tells you the action failed. It would be good to have some sort of non-fail (warning?) alert happen instead.

rossjrw avatar May 20 '23 16:05 rossjrw

I was looking into this! This is why:

  1. The GITHUB_TOKEN has read-only access, so you can't push commits, add comments, or perform most other write actions.
  2. Secrets aren't available in runs on PRs from forks, which is a measure to prevent a malicious PR from exposing repository secrets.
  3. Some context values, like github.repository, are set to the context of the fork, not the base repository.

melMass avatar Aug 09 '23 20:08 melMass

So IIUC github action from forked cant work. or is there a workaround. I get

Pushing changes… (attempt 1 of 3)
/usr/bin/git push --porcelain ***github.com/openSUSE/backlogger.git github-pages-deploy-action/4ebykzcsk:gh-pages
remote: Permission to openSUSE/backlogger.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/openSUSE/backlogger.git/': The requested URL returned error: 403
Changes committed to the gh-pages branch… 📦
Running post deployment cleanup jobs… 🗑️
/usr/bin/git checkout -B github-pages-deploy-action/4ebykzcsk
Reset branch 'github-pages-deploy-action/4ebykzcsk'
/usr/bin/chmod -R +rw github-pages-deploy-action-temp-deployment-folder
/usr/bin/git worktree remove github-pages-deploy-action-temp-deployment-folder --force
Completed deployment successfully! ✅
...
Error: Resource not accessible by integration

the workflow file looks like this:

---
name: Backlog Limits Checker
concurrency: preview-${{ github.ref }}
# yamllint disable-line rule:truthy
on:
  pull_request:
    types:
      - opened
      - reopened
      - synchronize
      - closed
permissions:
  contents: write
  pull-requests: write
jobs:
  backlogger:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Run the action implemented in this repo
        uses: ./
        with:
          config: queries.yaml
          redmine_api_key: ${{ secrets.REDMINE_API_KEY }}
      - uses: rossjrw/pr-preview-action@v1
        with:
          source-dir: gh-pages

b10n1k avatar Apr 09 '24 15:04 b10n1k

@b10n1k Yes, at this time this action does not officially support being run from forks - this is openly stated on the README. See #3 for more info. Workarounds do exist but there are security implications that you need to be aware of - there are very good reasons that this behaviour is blocked by default. See #6 for more info on that.

rossjrw avatar Apr 09 '24 22:04 rossjrw