The data fixer does not work on forks

2020PB / police-brutality

Repository containing evidence of police brutality during the 2020 George Floyd protests

MIT License

2.62k stars 209 forks source link

The data fixer does not work on forks #780

Open ubershmekel opened 4 years ago

ubershmekel commented 4 years ago

The data validator from https://github.com/2020PB/police-brutality/pull/745 works on branches that are in this repo, but not on branches in forks of this repo (non-maintainer PRs).

The solution is to make https://github.com/ubershmekel2020pb a maintainer. That's a user I created that will have no access to anything except this repo, and that user auth token will be embedded in the github actions secrets to be used by the PR CI.

ubershmekel commented 4 years ago

The plan to use a github secret with a user token was destined to fail. Action triggers from forks do not get the repo secrets. Which makes sense from a security perspective, though I wish there was a way to divulge the secrets in case the workflow file was not modified.

https://github.com/actions/checkout/issues/298#issuecomment-664976337

TimidRobot commented 4 years ago

Potential solutions:

(as mentioned elsewhere) use a different CI/CD provider instead of GitHub Actions
initially merge PRs to new branches instead of the default branch so that the changes can then be manipulated in repo
provide a utility to run manually instead and require PRs from forks to include output/verification

ph-ct commented 4 years ago

There might be another options, didn't look too deep but I can, Could the workflow have that maintainer users environment variables for those actions? As a note, I have not used github actions.

https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#using-encrypted-secrets-in-a-workflow

Problem: With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository. Solution: and there is more after this.

To provide an action with a secret as an input or environment variable, you can use the secrets context to access secrets you've created in your repository. For more information, see "Context and expression syntax for GitHub Actions" and "Workflow syntax for GitHub Actions."

ubershmekel commented 4 years ago

@ph-ct the way I tested the secrets was through environment variables. They aren't passed to the process if it's running on a remote fork. Did I misunderstand your suggestions?

ph-ct commented 4 years ago

@ubershmekel usually workflows have a way to run the forks in your action context i think is what it's saying (that problem solution part is mine added just for readability but it reads clean in the link). I have not read in detail after that but I can.

I don't know if I have access to the configs for the workflows but it's running this data builder python script? https://github.com/2020PB/police-brutality/tree/master/tools

and I'm guessing it's for this workflow but I can't see the config. https://github.com/2020PB/police-brutality/actions?query=workflow%3A%22Validate+Data%22