Open ubershmekel opened 4 years ago
The plan to use a github secret with a user token was destined to fail. Action triggers from forks do not get the repo secrets. Which makes sense from a security perspective, though I wish there was a way to divulge the secrets in case the workflow file was not modified.
https://github.com/actions/checkout/issues/298#issuecomment-664976337
Potential solutions:
There might be another options, didn't look too deep but I can, Could the workflow have that maintainer users environment variables for those actions? As a note, I have not used github actions.
Problem: With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository. Solution: and there is more after this.
To provide an action with a secret as an input or environment variable, you can use the secrets context to access secrets you've created in your repository. For more information, see "Context and expression syntax for GitHub Actions" and "Workflow syntax for GitHub Actions."
@ph-ct the way I tested the secrets was through environment variables. They aren't passed to the process if it's running on a remote fork. Did I misunderstand your suggestions?
@ubershmekel usually workflows have a way to run the forks in your action context i think is what it's saying (that problem solution part is mine added just for readability but it reads clean in the link). I have not read in detail after that but I can.
I don't know if I have access to the configs for the workflows but it's running this data builder python script? https://github.com/2020PB/police-brutality/tree/master/tools
and I'm guessing it's for this workflow but I can't see the config. https://github.com/2020PB/police-brutality/actions?query=workflow%3A%22Validate+Data%22
The data validator from https://github.com/2020PB/police-brutality/pull/745 works on branches that are in this repo, but not on branches in forks of this repo (non-maintainer PRs).
The solution is to make https://github.com/ubershmekel2020pb a maintainer. That's a user I created that will have no access to anything except this repo, and that user auth token will be embedded in the github actions secrets to be used by the PR CI.