The "Contribution Checks" fails to create PR comment when the PR is created from a fork repository

[tbouffard]

ℹ️ Part of a top-level initiative: #670

The underlying action bonitasoft/actions/packages/pr-antora-content-guidelines-checker@v2 fails to write the PR comment. It uses the GH_TOKEN to create a PR comment but this token hasn't the permission to write PR comment (read-only permission when PR created from a fork).

See the problem on https://github.com/bonitasoft/bonita-cloud-doc/pull/53, job https://github.com/bonitasoft/bonita-cloud-doc/actions/runs/8422019939/job/23065313474?pr=53

Logs

Run bonitasoft/actions/packages/pr-antora-content-guidelines-checker@v2
  with:
    attributes-to-check: :description:
    files-to-check: adoc
    forbidden-pattern-to-check: https://documentation.bonitasoft.com,link:https,link:http,link:,xref:https,xref:http,xref:_,xref:#,Bonita BPM
    github-token: ***
Input parameters:
❌ This following checks are failed: 
 * Attributes validation
 * Forbidden pattern validation
Error: Resource not accessible by integration

Possible alternatives to fix the problem

• we may run the workflow on pull_request_target (a priori, no security issue, as there is no build involved here, only static check of the content of AsciiDoc files)
• when running from a fork or when detecting that the GH_TOKEN has the write permission (how to do this? see https://github.com/bonitasoft/actions/issues/93), do not create a PR comment. Add logs and/or create a job summary (see also https://github.blog/2022-05-09-supercharging-github-actions-with-job-summaries/). This requires to update the implementation of the pr-antora-content-guidelines-checker action.

Notice that the later require to change the implementation of the action, while the former may only require to change the workflows calling the action. The action could also create a summary and/or add logs even when it is not possible to create the PR comment.

Decision

After discussions with @benjaminParisel, we decided to run the pr-antora-content-guidelines-checker action in a workflow triggered by a pull_request_target.

There is no security issue here. The checks are done only on the updated file of the PR without doing tool installation, cache update or branch checkout. Only the GitHub API is used. Using this event allows to create PR comment when the PR is created from a forked repository.

Resources: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Tasks

• [x] Update the pr-antora-content-guidelines-checker action to fully support the pull_request_target event: https://github.com/bonitasoft/actions/pull/129. It is included in a new release https://github.com/bonitasoft/actions/releases/tag/v3.1.0
• [x] Do testing on the bonita-labs-doc repository
  • https://github.com/bonitasoft/bonita-labs-doc/pull/153
  • https://github.com/bonitasoft/bonita-labs-doc/pull/155
  • https://github.com/bonitasoft/bonita-labs-doc/pull/158
• Apply the changes to all content repositories
  • [x] bonita-doc https://github.com/bonitasoft/bonita-doc/pull/2664
  • [x] central https://github.com/bonitasoft/bonita-central-doc/pull/34
  • [x] cloud https://github.com/bonitasoft/bonita-cloud-doc/pull/54
  • [x] bcd https://github.com/bonitasoft/bonita-continuous-delivery-doc/pull/225
  • [x] test-toolkithttps://github.com/bonitasoft/bonita-test-toolkit-doc/pull/58

[tbouffard]

All tasks are completed so closing.