Closed vadi2 closed 3 years ago
Is it because the PR is from a fork? It looks like it's failing when creating the review. One option is to disable the check on forks, using something like: https://github.community/t/dont-run-actions-on-pull-request-from-fork/17560/4
There may be a way to give frequent collaborators access to create reviews -- I'm not sure how to do that myself
Hm, but that's not how Github works: anyone should be able to make a PR from their fork without needing any kind of access. Requiring access is non-scalable and wouldn't make these kinds of actions really work - does Github really not permit this?
It's not the PR itself, its the token used to create the review which only has read permissions when used from a forked repo: https://docs.github.com/en/actions/reference/authentication-in-a-workflow#permissions-for-the-github_token So it can do everything but write to the repo -- review comments count as a "write", which is why it's failing when trying to create the review.
I think the issue is basically in order to post the review comments, the user would need (some level of) write permissions, but if the PR is from a fork, they could've modified the action to do other things.
It looks like there's a similar limitation on creating Checks Annotations, so even if I switched it to them, there would still be the same problem.
I could make it an option to do everything but post the review comments, that way it'd still be able to run on forks and you'd have the option of failing if there were clang-tidy
warnings, you'd just have to go into the check to see them.
What if a custom token is generated and passed to the action which has the review write capability, would that work?
Solved it in the end with the pull_request_target
hook :+1:
Got a somewhat unintuitive error with the action:
What does it mean? See https://github.com/Mudlet/Mudlet/pull/4885/checks?check_run_id=1998372846#step:11:1297