search

grantmcconnaughey / Lintly

Automated GitHub PR code reviewer for Python, JavaScript, CSS, and more.
MIT License
92 stars 18 forks source link

Lintly fails for PRs from forks because GH disables write permissions #46

Closed joshuacwnewton closed 3 years ago

joshuacwnewton commented 3 years ago

I believe this is an upstream decision from GitHub, but I thought I would mention it here in case there is a more graceful way to handle the error.

Context: https://github.community/t/token-permissions-for-forks-once-again/16468

I understand why forked repos has the read-only permissions, but it is effectively blocks any linters, checkers and audit tools to be implemented as a Github Actions; for example, it’s disallowed to post any data to the Checks API, therefore, it is impossible to create a linter which will validate pull requests from the forked repositories.

Example of failing job: https://github.com/neuropoly/spinalcordtoolbox/runs/2114260881?check_suite_focus=true

File "/opt/hostedtoolcache/Python/3.8.8/x64/lib/python3.8/site-packages/lintly/builds.py", line 82, in execute
    self.submit_to_pr(patch)
  File "/opt/hostedtoolcache/Python/3.8.8/x64/lib/python3.8/site-packages/lintly/builds.py", line 145, in submit_to_pr
    self.git_client.create_check_run(
  File "/opt/hostedtoolcache/Python/3.8.8/x64/lib/python3.8/site-packages/lintly/backends/github.py", line 249, in create_check_run
    response = client.post(url, data, headers={'Accept': GITHUB_CHECKS_HEADER})
  File "/opt/hostedtoolcache/Python/3.8.8/x64/lib/python3.8/site-packages/lintly/backends/github.py", line 81, in post
    return self._do_request('post', url, json.dumps(data), headers)
  File "/opt/hostedtoolcache/Python/3.8.8/x64/lib/python3.8/site-packages/lintly/backends/github.py", line 113, in _do_request
    raise GitClientError(response.content, status_code=response.status_code)
lintly.backends.errors.GitClientError: b'{"message":"Resource not accessible by integration","documentation_url":"https://docs.github.com/rest/reference/checks#create-a-check-run"}'
Error: Process completed with exit code 1.

Thank you again for the lovely tool.

joshuacwnewton commented 3 years ago

There is a workaround for this: Using the new-ish pull_request_target event trigger, rather than pull_request.

But, there are big caveats for using it: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

joshuacwnewton commented 3 years ago

There is a workaround for this: Using the new-ish pull_request_target event trigger, rather than pull_request.

Oops. There has been an issue for this open for months. Duplicate of #38.