Add possibility to create annotations on PRs from forks without `checks: write` permission

[HarelM]

Describe a bug

When using this action on a fork, according to the docs by using the markdown output, this action still fails.

Expected behavior

It should not fail, and hopefully report the coverage

Details

• Action version: 2
• OS, where your action is running (windows, linux): linux
• https://github.com/maplibre/maplibre-gl-js/blob/57ab2c332837a78c038e58c3dfcf075f7dfc6697/.github/workflows/test-unit.yml#L34
• Error:
• https://github.com/maplibre/maplibre-gl-js/runs/8210019949?check_suite_focus=true

Additional context

This is in continue to this issue which was resolved: #256

I'm guessing that there's a missing "if markdown down't publish results" or something similar...

[HarelM]

This is not the report part but the annotations which have a similar problem when it comes to permissions when running on a fork :-( Is it possible to try-catch it or skip this stage in case of a PR from a fork? While this is a very good way to visualize coverage it's better to have the coverage report as PR comment only than have nothing :-)

[ArtiomTr]

Hello @HarelM :wave:,

Yeah, that's the issue with checks - looks like your GitHub token doesn't have enough permissions to publish checks.

Found this fix: https://github.com/alibaba/lowcode-engine/blob/7a0bab11aca6fa5856af894736222c6d14897467/.github/workflows/cov%20packages.yml#L13 So, for your case, fix could look like this:

annotations: ${{ github.event.pull_request.head.repo.full_name == github.event.repository.name && 'coverage' || 'none' }}

Looks weird because GitHub Actions doesn't support ternary operators.

I think that should work. Of course, another solution could be to create personal access token with "checks: write" permission and pass it as a github-token parameter, but that's not safe. Don't know how these privileges could be used in a malicious way, but I think GitHub has a good reason for limiting token privileges.

[HarelM]

Thanks!!! super useful. I'll try it out. If you find a way to publish annotations the same way that it is working for the commit message it would be great. If not, feel free to close this issue. Thanks a lot for all the hard work and the great support you give!

[ArtiomTr]

Yeah, that's a good idea. I've found an action for publishing annotations from json file: annotations-action.

I will check if it works without "write" permissions. Can't promise that support for annotations output will be implemented soon, but I will post updates on this issue.

[HarelM]

Seems like the above code created an issue, not entirely sure why...

Can be seen here (probably not for long) https://github.com/maplibre/maplibre-gl-js/runs/8220657182?check_suite_focus=true

I'm currently reverting to annotations none, I hope it will allow me to see the coverage report at least... Let me know if there's anything else I can check...

[ArtiomTr]

@HarelM 😢

I just found that there are two different events - pull_request and pull_request_target. pull_request runs on the head branch, and is considered "unsafe" - runs with read-only permissions. pull_request_target runs on the base branch, with write permissions. I will try to update the logic, to support the pull_request_target event.

[HarelM]

Bummer... Let me know if you figured out a solution. I'll be happy to test it! :-)

[abcfy2]

Any update? I have the same issue: https://github.com/TokenScript/token-negotiator/actions/runs/3086784740/jobs/5008480454

[ArtiomTr]

Hey @HarelM and @abcfy2 :wave:,

Sorry for the late reply. Now everything should work. The fix is available under the v2.2.0 or v2 tags. Here is documentation on how to properly configure action. You just need to replace the pull_request event with pull_request_target. Hope this helps you!

[HarelM]

Thanks for the info, I ended up using codecov... Sorry for all the trouble...