The underlying action bonitasoft/actions/packages/pr-antora-content-guidelines-checker@v2 fails to write the PR comment. It uses the GH_TOKEN to create a PR comment but this token hasn't the permission to write PR comment (read-only permission when PR created from a fork).
Run bonitasoft/actions/packages/pr-antora-content-guidelines-checker@v2
with:
attributes-to-check: :description:
files-to-check: adoc
forbidden-pattern-to-check: https://documentation.bonitasoft.com,link:https,link:http,link:,xref:https,xref:http,xref:_,xref:#,Bonita BPM
github-token: ***
Input parameters:
❌ This following checks are failed:
* Attributes validation
* Forbidden pattern validation
Error: Resource not accessible by integration
Possible alternatives to fix the problem
we may run the workflow on pull_request_target (a priori, no security issue, as there is no build involved here, only static check of the content of AsciiDoc files)
Notice that the later require to change the implementation of the action, while the former may only require to change the workflows calling the action.
The action could also create a summary and/or add logs even when it is not possible to create the PR comment.
Decision
After discussions with @benjaminParisel, we decided to run the pr-antora-content-guidelines-checker action in a workflow triggered by a pull_request_target.
There is no security issue here. The checks are done only on the updated file of the PR without doing tool installation, cache update or branch checkout. Only the GitHub API is used.
Using this event allows to create PR comment when the PR is created from a forked repository.
ℹ️ Part of a top-level initiative: #670
The underlying action
bonitasoft/actions/packages/pr-antora-content-guidelines-checker@v2
fails to write the PR comment. It uses the GH_TOKEN to create a PR comment but this token hasn't the permission to write PR comment (read-only permission when PR created from a fork).See the problem on https://github.com/bonitasoft/bonita-cloud-doc/pull/53, job https://github.com/bonitasoft/bonita-cloud-doc/actions/runs/8422019939/job/23065313474?pr=53
Logs
Possible alternatives to fix the problem
pr-antora-content-guidelines-checker
action.Notice that the later require to change the implementation of the action, while the former may only require to change the workflows calling the action. The action could also create a summary and/or add logs even when it is not possible to create the PR comment.
Decision
After discussions with @benjaminParisel, we decided to run the
pr-antora-content-guidelines-checker
action in a workflow triggered by apull_request_target
.There is no security issue here. The checks are done only on the updated file of the PR without doing tool installation, cache update or branch checkout. Only the GitHub API is used. Using this event allows to create PR comment when the PR is created from a forked repository.
Resources: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
Tasks
pr-antora-content-guidelines-checker
action to fully support thepull_request_target
event: https://github.com/bonitasoft/actions/pull/129. It is included in a new release https://github.com/bonitasoft/actions/releases/tag/v3.1.0