Schedule an automerge from API (accidentally) with ${{ secrets.GITHUB_TOKEN }} will break the PR

go-gitea / gitea

Git with a cup of tea! Painless self-hosted all-in-one software development service, including Git hosting, code review, team collaboration, package registry and CI/CD

https://gitea.com

MIT License

43.09k stars 5.31k forks source link

Schedule an automerge from API (accidentally) with ${{ secrets.GITHUB_TOKEN }} will break the PR #31056

Open Shuenhoy opened 1 month ago

Shuenhoy commented 1 month ago

Description

I accidentally scheduled an automerge from API with ${{ secrets.GITHUB_TOKEN }} in action (I should have used a PAT). And the PR got broken.

Gitea Version

1.21.10

Can you reproduce the bug on the Gitea demo site?

Log Gist

No response

Screenshots

b500

Git Version

No response

Operating System

No response

How are you running Gitea?

Docker

Database

PostgreSQL

lunny commented 1 month ago

You should use PAT to do that. And it should return that you have no permission to do that if you use secrets.GITHUB_TOKEN.

lunny commented 1 month ago

I created #31094 to test whether action users have been allowed to merge a PR. Looks like it should have no permission to do that.