w3c / aria

Accessible Rich Internet Applications (WAI-ARIA)
https://w3c.github.io/aria/
Other
652 stars 125 forks source link

Prettier throws errors on PRs opened from forks #2294

Closed spectranaut closed 3 weeks ago

spectranaut commented 3 months ago

See: https://github.com/w3c/aria/pull/2290

pkra commented 3 months ago

This appears to be a limitation of github actions (of this type) according to https://github.com/creyD/prettier_action/issues/54#issuecomment-858891671 (and the link from there).

spectranaut commented 3 months ago

Do we need some kind of requirement for people who open PRs against ARIA from different repos to run prettier locally on their branch?

smockle commented 3 months ago

I ran into this too, in https://github.com/w3c/aria/pull/2271#issuecomment-2228598838.

The error is happening in the checkout step (not the prettier step), because github.head_ref (.github/workflows/prettier.yaml#L19) is the fork’s branch name, which won’t exist in this repo.

We could revise the checkout step like this—

uses: actions/checkout@v4
with:
  ref: ${{github.event.pull_request.head.ref}}
  repository: ${{github.event.pull_request.head.repo.full_name}}
  fetch-depth: 0

—that’d get us further, but we’d hit another problem: permissions. The default token used in w3c/aria’s workflow doesn’t have permissions to write (i.e. push commits) to random other repos (even forks).

There’s a two-part solution to that:

  1. The fork’s owner (presumably, the PR author) needs to “allow edits and access to secrets by maintainers”.[^1]

  2. We need to run the workflow using a bot account’s token, and that bot account needs to have “Write” access to this repo.

[^1]: Optionally, we can add a comment to PRs if the author hasn’t done this. Homebrew does this, via .github/workflows/publish-commit-bottles.yml#L45-L47.

daniel-montalvo commented 3 months ago

Thanks much @smockle for your detailed explanation. I'll take a look at this.

I would prefer for The fork’s owner (presumably, the PR author) to “allow edits and access to secrets by maintainers”. We don't currently have a bot account set up.