diox
commented
2 months ago Dependabot PRs doesn't have access to secrets either, despite technically not being a fork.
In either case (forks/dependabot) access to secrets could be a security issue (especially if the change in the PR modifies the build script, but it's also problematic if the build ends up calling a package that is modified by the PR).
We worked around the original issue of not being able to use the build+push job by adding a condition around it:
if: ${{ github.event.pull_request.head.repo.fork == false && github.actor != 'dependabot[bot]' }}
KevinMind
What happened?
In github actions, workflows triggered by forks (and dependabot which is treated as a fork) do not have access to secrets and have a read only github token. This limits what workflows can do when triggered by events from forks.
https://docs.github.com/en/actions/security-guides/automatic-token-authentication https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
This forces us to rebuild the image in any jobs that use the
run-dockeraction. It's not the end of the world, but it is not very good DX and does cause forks to run in a slightly different way than origin.What did you expect to happen?
There should be a way to authenticate forked users to push images to their own package registry or to configure the workflow to push to the forks github pacagke registry namespace. Or we should consider not pushing images in CI and instead building, but this is less attractive as it is a performance hit and reduces the validity of CI.
Is there an existing issue for this?
┆Issue is synchronized with this Jira Task