Closed nightlark closed 4 years ago
I will note that this is disabled by default to prevent secret exfiltration by non-collaborators. OTOH, I'm not sure if we currently have secrets. @jacksonargo?
@0az that’s not accurate. Secrets are not passed to the runner when the workflow is triggered from a forked repository.
In addition to that, when the workflow is triggered from a fork the GITHUB_TOKEN
it uses has read-only access to the repository so it can’t be used to mess with things like issues or perform arbitrary git operations.
My bad – I remembered a very scary warning on that doc page, but evidently I misremembered its contents.
Currently, PRs from non-collaborators or collaborators who work in a fork don't have any tests running to check that their changes will work when merged. This change will trigger the testing workflow for pull requests from forks (no access to secrets).
195 is an example of what happens without this change -- it is waiting indefinitely for the required gofmt and shellcheck checks, but they will never run.