Workflow fails for pull requests from forks

[Hiratake]

The workflow fails when creating a pull request from a fork repository to an upstream repository. Perhaps the error occurs because the correct branch name is now used in #70, and the branch cannot be found in the upstream repository where the workflow is to be executed.

The workflows where this problem has actually occurred following:
https://github.com/jaoafa/jaoweb4/blob/847e0875f9ae88cd69125433cfbfedfd9c33d753/.github/workflows/publish.yml#L98

The actual problematic workflows resulted in the following:
https://github.com/jaoafa/jaoweb4/actions/runs/5296316660/jobs/9587342658

For pull requests from forks, it is preferable to use SHA. Alternatively, it would be possible to change this in inputs.

[marvin-hansen]

I have the same problem. Trying to build PR'a to a dedicated preview site, but getting missing API key error. From the log:

Run cloudflare/pages-action@v1
  with:
    projectName: preview
    directory: public
    branch: main
    workingDirectory: web
    wranglerVersion: [3](https://github.com/deepcausality-rs/sites/actions/runs/6142941060/job/16665488500?pr=44#step:3:3)
Error: Input required and not supplied: apiToken

[book000]

@marvin-hansen Hi, Your problem may be slightly different from what Hiratake san problem is.

I think your workflow is this file: https://github.com/deepcausality-rs/sites/blob/24f7e37c0092f534bd820dd1e8ba9dc10f9f3f1e/.github/workflows/preview.yml The CLOUDFLARE_API_TOKEN secret is required, did you set it and run it? Since the error is Input required and not supplied, I assume that the value for apiToken does not exist...😢

If the problem is the same as Hiratake's, the error should include a statement like No ref found for!

I hope you will find it useful!

[marvin-hansen]

Well,

I did provided the token but upon further investigation, it became clear that there are a number of issues related to accessing GH secrets from a PR that originated from a forked repo. I tried a few suggestions, but nothing worked out so I’m not sure where to go from here.

Best

On Mon, Sep 11, 2023 at 9:27 PM Tomachi @.***> wrote:

@marvin-hansen https://github.com/marvin-hansen Hi, Your problem may be slightly different from what Hiratake san problem is.

I think your workflow is this file: https://github.com/deepcausality-rs/sites/blob/24f7e37c0092f534bd820dd1e8ba9dc10f9f3f1e/.github/workflows/preview.yml The CLOUDFLARE_API_TOKEN secret is required, did you set it and run it? Since the error is Input required and not supplied, I assume that the value for apiToken does not exist...😢

If the problem is the same as Hiratake's, the error should include a statement like No ref found for https://github.com/jaoafa/jaoweb4/actions/runs/5296316660/job/14339062309#step:8:14 !

I hope you will find it useful!

— Reply to this email directly, view it on GitHub https://github.com/cloudflare/pages-action/issues/94#issuecomment-1713883953, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFYR7XF2YXHIOPGBIYS4633XZ4GVFANCNFSM6AAAAAAZKFANPA . You are receiving this because you were mentioned.Message ID: @.***>

[book000]

@marvin-hansen Oh, I see. There is indeed a restriction on the pull_request event that the secret cannot be referenced from the forked repos. This restriction prevents a malicious forker from stealing the secret.

One commonly used workaround is to use labels as triggers. Since labels can only be granted with Write permission to the repository, this is considered a reasonable workaround✅

[book000]

For reference, take a look at the following workflow! ❤ https://github.com/jaoafa/jaoweb4/blob/2b337c1a15385454f2aa6f5c07f6af95d1d680f9/.github/workflows/publish.yml#L18

[marvin-hansen]

Amazing.

Let me try this tomorrow and report back.

Thank you so much.

On Mon, Sep 11, 2023 at 10:25 PM Tomachi @.***> wrote:

For reference, take a look at the following workflow! ❤

https://github.com/jaoafa/jaoweb4/blob/2b337c1a15385454f2aa6f5c07f6af95d1d680f9/.github/workflows/publish.yml#L18

— Reply to this email directly, view it on GitHub https://github.com/cloudflare/pages-action/issues/94#issuecomment-1713997350, or unsubscribe https://github.com/notifications/unsubscribe-auth/AFYR7XFIX732K66PTBIQFGLXZ4NL3ANCNFSM6AAAAAAZKFANPA . You are receiving this because you were mentioned.Message ID: @.***>

[marvin-hansen]

@book000

I'm struggling a bit to make the GH action you shared work.

Good news is: 1) Auto-comment that a PR from a forked repo needs the 🚀request-deploy label works

2) Once the label has been added, the publish action runs. Nice.

Now, my page is a Hugo static page and the lock.json is in the folder separate folder called web. Therefore, I added the working-directory tag and npm ci installs.

The npm run generate steps also gets the working-directory.

      - name: Run generate
        working-directory: web
        run: npm run generate

However, this steps fails in the CI

Run npm run generate
  npm run generate
  shell: /usr/bin/bash -e {0}
npm ERR! Missing script: "generate"
npm ERR! 
npm ERR! To see a list of scripts, run:
npm ERR!   npm run

npm ERR! A complete log of this run can be found in: /home/runner/.npm/_logs/[2](https://github.com/deepcausality-rs/sites/actions/runs/6221068467/job/16882331675?pr=57#step:7:2)02[3](https://github.com/deepcausality-rs/sites/actions/runs/6221068467/job/16882331675?pr=57#step:7:3)-09-18T10_07_[5](https://github.com/deepcausality-rs/sites/actions/runs/6221068467/job/16882331675?pr=57#step:7:6)5_3[8](https://github.com/deepcausality-rs/sites/actions/runs/6221068467/job/16882331675?pr=57#step:7:9)1Z-debug-0.log
Error: Process completed with exit code 1.

The complete workflow file:

https://github.com/deepcausality-rs/sites/actions/runs/6221076223/workflow

And the last failed run: https://github.com/deepcausality-rs/sites/actions/runs/6221076223/job/16882354763?pr=57

Any idea how to fix this?

[marvin-hansen]

I think the correct way to build HUGO sites manually is something like this:

hugo --environment production --gc --minify

Have to update the action to install & run hugo

[book000]

@marvin-hansen npm run generate runs scripts.generate in package.json. Therefore, if the generate script is not defined, this error will occur.

For a simple solution, replace this part with the following (...may need to be changed):

      - name: Build hugo site
        working-directory: web
        run: hugo --environment production --gc --minify

[marvin-hansen]

thank you @book000

I'm working on it.

The theme I am using can actually be build with npm using install & build. I just tried it locally and that one worked. Trying it now on CI

npm install

npm run build

[marvin-hansen]

@book000 This one worked. The last blocker I solved was to enable submodule checkout so that the theme gets cloned as well.

Now it's all running.

https://github.com/deepcausality-rs/sites/actions/runs/6221806137/job/16884805932

Thank you so much for all your help.