search

sorenlouv / backport-github-action

Backport CLI tool as a Github Action
https://github.com/sqren/backport
26 stars 16 forks source link

Workflows don't run on backport PR #79

Open paulgessinger opened 2 years ago

paulgessinger commented 2 years ago

When the backport action creates the backport PR, I see GH action workflows not triggering on the PR commit (neither push nor pull_request trigger).

I'm guessing this has something to do with the PR being create from a GH action. If that's the case, this isn't really a feature of this project, but of GH actions itself.

I just thought I'd create an issue here to check if my assumption is correct, or if this can be worked around somehow.

sorenlouv commented 2 years ago

Hi @paulgessinger

I haven't seen this issue before. You can try creating a backport manually using the backport cli, and see if that causes the workflows to run as expected.

paulgessinger commented 2 years ago

With the CLI it does work, but I think that's because it uses a PAT, so the triggering user is me rather than the github actions user.

I'll try to validate this by supplying a PAT to the action that's different from the ${{ secrets.GITHUB_TOKEN }}.

paulgessinger commented 2 years ago

Indeed, using a PAT instead of ${{ secrets.GITHUB_TOKEN }} triggers the workflows on the backport PRs.

As per https://github.com/orgs/community/discussions/27028, a workaround might be to (optionally) have the action perform the git operations with a deploy SSH key. Those are apparently not restricted and can trigger workflow runs. I don't know however if a PR created by ${{ secrets.GITHUB_TOKEN }} with a branch pushed with a deploy key will get pull_request workflow triggers.

sorenlouv commented 2 years ago

Okay, thanks for verifying that.

If I understand correctly deploy keys are ssh keys. The backport tool today does not use ssh keys but instead perform all actions against the remote using the provided access token:

https://github.com/sqren/backport/blob/dfd9a774f929c5adc8000a13ba1c5834ddb83d2a/src/lib/git.ts#L23

Are there any downsides to using a PAT over deploy keys?

paulgessinger commented 2 years ago

With a PAT, the PR is associated with the PAT's user (i.e. me), rather than a neutral entity. For my envisioned workflow, I can't then approve the backport PRs, because I'm the author, whereas I can approve bot PRs.

I didn't expect deploy keys being a drop-in replacement / fix, I just mentioned this as a possible workaround that would require changes to the backport CLI.

sorenlouv commented 2 years ago

Ok, I see. A workaround I've seen elsewhere is to create a separate user with push permissions to the repo, then create a PAT for this user.

laeubi commented 1 year ago

PRs created by an action do not trigger other workflows see: