Open waltersma opened 1 year ago
RobPasMue
commented
1 year ago This is because only users with write access to the repo will have access to the secrets (AFAIK). Meaning that the workflow would have to be triggered by a member with write access.
I'd like to see an actual example though... do you have a link to one @ninad-kamat ?
MaxJPRey
commented
1 year ago Yes, this is a gatekeeper, to make sure external contributors cannot access to secrets. We have the same scenario with PyAEDT. One of the contributors must approve the run and then the workflows will be executed as for any Ansys employee with write access.
ninad-kamat
commented
1 year ago This is because only users with write access to the repo will have access to the secrets (AFAIK). Meaning that the workflow would have to be triggered by a member with write access.
I'd like to see an actual example though... do you have a link to one @ninad-kamat ?
@RobPasMue This was an old PR from an external contributor, which was just a simple doc change which could not go in as workflows failed. When the PR was put up, it requested approval for running the workflow and even after approval the doc pipeline failed to check out a license for the server.
RobPasMue
commented
1 year ago Well, I can't see the logs anymore... Meaning that I cannot tell what's happenning. I had a look at your settings and all seems to be fine... I'd suggest that if it happens again, you ping us. Maybe it was a one-time thing but other repos are having external contributors and they work just fine.
ninad-kamat
commented
1 year ago @RobPasMue Here is a more recent case. https://github.com/ansys/pyprimemesh/actions/runs/5545221827 https://github.com/ansys/pyprimemesh/actions/runs/5545221823
This one was a fork by an Ansys employee. The labeler and license checkout still failed for some reason. The work around I did was to merge the fork into my branch instead of main and then merge my branch in.
RobPasMue
commented
1 year ago Yep, I've been reading and it seems like secrets are not given access to PRs coming from forked repos whenever pull_request is used in the workflows. You can come around that limitation using pull_request_target - though it might be unsafe to do so.
For more information see: https://github.com/aws-actions/configure-aws-credentials/issues/416#issuecomment-1275264743 https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
These guys came with an original solution: https://github.com/orgs/community/discussions/26163
It consists on merging the outside collaborators PR to a repo's branch, and then opening a PR from it. They even show how to do it using bots and GitHub actions. Worth giving it a try.
This is an issue at present. Forking contributions do not work unless you are an Ansys employee. Even then some actions fail I think. @MaxJPRey @RobPasMue @AlejandroFernandezLuces This is for the larger PyAnsys team I guess to answer.
I have seen that external Github workflows require maintainer approval to start run. Why then can the pipelines not check out a license if a maintainer has approved it?