0az
commented
4 years ago I will note that this is disabled by default to prevent secret exfiltration by non-collaborators. OTOH, I'm not sure if we currently have secrets. @jacksonargo?
Closed nightlark closed 4 years ago
0az
commented
4 years ago I will note that this is disabled by default to prevent secret exfiltration by non-collaborators. OTOH, I'm not sure if we currently have secrets. @jacksonargo?
nightlark
commented
4 years ago @0az that’s not accurate. Secrets are not passed to the runner when the workflow is triggered from a forked repository.
nightlark
commented
4 years ago In addition to that, when the workflow is triggered from a fork the GITHUB_TOKEN it uses has read-only access to the repository so it can’t be used to mess with things like issues or perform arbitrary git operations.
0az
commented
4 years ago My bad – I remembered a very scary warning on that doc page, but evidently I misremembered its contents.
Currently, PRs from non-collaborators or collaborators who work in a fork don't have any tests running to check that their changes will work when merged. This change will trigger the testing workflow for pull requests from forks (no access to secrets).
195 is an example of what happens without this change -- it is waiting indefinitely for the required gofmt and shellcheck checks, but they will never run.