Closed jsab closed 1 year ago
Hello @jsab, Sorry for the wait here. This is known and unfortunately expected. To publish even a dev version of the orb would require access to your CircleCI Personal Access token for the build. Unfortunately the risk is too great when allowing forked PRs, as their PR could be crafted to expose this token in some way (posting it to an API for instance). Forked PRs are also often abused by crypto miners.
Instead the way we handle this is by cloning the users branch after reviewing it manually, and then pushing the branch to our repo. Because the commit SHA is exactly the same, but the new commit is triggered by you, the build will run properly.
This gives you a way to manually ensure that contributions are not malicious in any way, prior to running tests from outside contributors.
Here is a semi-relevant video on securing your publishing token to ensure outside users could not access it, even if you did allow forked PRs to run (though they would fail at this point). https://www.youtube.com/watch?v=ImPE969yv08
Orb version:
10.0 (https://github.com/CircleCI-Public/Orb-Project-Template/blob/e388c329da98fba7ede5f7226b6aacb0b9eec185/.circleci/config.yml#L6)
What happened:
When working on a orb following the Orb-Project-Template, and opening a PR from a fork, the
test-pack
workflow will succeed including thetrigger-integration-dev
command. However, theintegration-test_deploy
workflow will not actually be triggered.Logs of the last step (
Trigger integration test workflow
) are as follows:Note the
null
at the end of the link.Expected behavior:
Best case would be to work with forks.
Second best case if not possible would be to fail with a message saying that PR from forks are not supported.
Additional Information:
Feel free to contact me if more details are required.