Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github actions don't work for pull requests created that involve a fork. #17324

Closed
talldan opened this issue Sep 4, 2019 · 9 comments · Fixed by #26876
Closed

Github actions don't work for pull requests created that involve a fork. #17324

talldan opened this issue Sep 4, 2019 · 9 comments · Fixed by #26876
Assignees
@talldan
Labels
[Status] In Progress Tracking issues with work in progress [Type] Automated Testing Testing infrastructure changes impacting the execution of end-to-end (E2E) and/or unit tests. [Type] Bug An existing feature does not function as intended

Comments

@talldan
Copy link
Contributor

talldan commented Sep 4, 2019

Describe the bug
As explained in the following link, our github actions won't work correctly on PRs where a fork is involved:
https://github.community/t5/GitHub-Actions/GitHub-Action-workflow-is-executed-for-a-PR-from-a-forked-repo/m-p/29579

TLDR - For security reasons, the action itself is run on the forked repo instead of the main repo, and so has no privileges for things like adding labels or milestones.

This is particularly an issue with the First-Time Contributor action, where the majority of PRs that involve first time contributors are from forks.

Ideally we'd be able to find a workaround for this. I've seen it mentioned that the push event can be used. Not entirely sure how that works for forks, perhaps opening the pull request triggers a push event as the base repo has a ref to the head of the branch pushed?
@talldan talldan added [Type] Bug An existing feature does not function as intended [Type] Automated Testing Testing infrastructure changes impacting the execution of end-to-end (E2E) and/or unit tests. labels Sep 4, 2019
@ScottBrenner
Copy link

ScottBrenner commented Sep 27, 2019
edited
Loading

This behavior has changed recently, it should work using the pull_request event https://help.github.com/en/articles/events-that-trigger-workflows#pull-request-events-for-forked-repositories

@talldan
Copy link
Contributor Author

talldan commented Sep 28, 2019

It's currently implemented using pull_request, but the issue is that forks only have a read-only token, so can't apply labels. The error shown on a recent PR is:

main: Task addFirstTimeContributorLabel failed with error: HttpError: Resource not accessible by integration

@frextrite
Copy link

It's currently implemented using pull_request, but the issue is that forks only have a read-only token, so can't apply labels. The error shown on a recent PR is:

main: Task addFirstTimeContributorLabel failed with error: HttpError: Resource not accessible by integration

I think what @ScottBrenner said was right. The pull_request event is supposed to fire on the base repository (which is what the docs say), however, currently, the event is being fired only when the PR is merged into master. Once that is fixed (unlikely to due security flaws?), the pull_request event workflow would run on the base repository and have the correct permissions for adding labels.

@talldan
Copy link
Contributor Author

talldan commented Oct 5, 2019

I see now that you'e referring to this part of the docs:

In this scenario, GitHub sends the pull_request event to the base repository and no pull request events occur on the forked repository

Which is unusual because when I checked at the time they were still being triggered from the forked repository, and the action was failing because of the rule.

however, currently, the event is being fired only when the PR is merged into master.

@frextrite what leads you to believe that the action is only triggered on a merge? Currently there's nothing in the way the workflow is configured to restrict when it should run:

gutenberg/.github/workflows/pull-request-automation.yml

Lines 1 to 14 in 9030e51

on: pull_request
name: Pull request automation
jobs:
pull-request-automation:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
# Changing into the action's directory and running `npm install` is much
# faster than a full project-wide `npm ci`.
- run: cd packages/project-management-automation && npm install
- uses: ./packages/project-management-automation
with:
github_token: ${{ secrets.GITHUB_TOKEN }}

There's some JavaScript logic so that the action only tries to add a label when a PR is opened:

gutenberg/packages/project-management-automation/lib/index.js

Lines 21 to 25 in 9030e51

{
event: 'pull_request',
action: 'opened',
task: addFirstTimeContributorLabel,
},

@justfathi
Copy link

Any update / change to this?

@nicolo-ribaudo nicolo-ribaudo mentioned this issue Oct 20, 2019
Closed
@JLHwung JLHwung mentioned this issue Oct 24, 2019
Open
@talldan
Copy link
Contributor Author

talldan commented Nov 1, 2019
edited
Loading

This thread seems to have the latest info from Github as of yesterday (31st Oct '19) - https://github.community/t5/GitHub-Actions/Github-Workflow-not-running-from-pull-request-from-forked/td-p/32979:

Unfortuately we were not able to addres the private repo and private fork scneario. It is something we still do plan to address but I do not have a delivery date at the moment.

@emmenko emmenko mentioned this issue Dec 31, 2019
Merged
muuki88 added a commit to sbt/sbt-native-packager that referenced this issue Jan 13, 2020
@muuki88
Remove labeler as it is broken for forks
3681e8a 
See WordPress/gutenberg#17324
This was referenced Feb 4, 2020
Merged
Closed
Merged
@aduth aduth added the [Status] Blocked Used to indicate that a current effort isn't able to move forward label Mar 19, 2020
@ccordoba12 ccordoba12 mentioned this issue Jul 27, 2020
Merged
@skorasaurus
Copy link
Member

skorasaurus commented Nov 10, 2020
edited
Loading

@talldan

This can now be resolved using the new pull_request_target ? https://github.community/t/github-workflow-not-running-from-pull-request-from-forked-repository/16379/48
It was just introduced in August.

Check out https://docs.github.com/en/free-pro-team@latest/actions/reference/events-that-trigger-workflows#pull_request_target

@talldan
Copy link
Contributor Author

talldan commented Nov 11, 2020

That's great, thanks for pointing that out @skorasaurus.

@talldan talldan removed the [Status] Blocked Used to indicate that a current effort isn't able to move forward label Nov 11, 2020
@talldan talldan mentioned this issue Nov 11, 2020
Closed
6 tasks
@github-actions github-actions bot added the [Status] In Progress Tracking issues with work in progress label Nov 11, 2020
@talldan
Copy link
Contributor Author

talldan commented Nov 11, 2020
edited
Loading

I've made a PR #26876 .

@talldan talldan mentioned this issue Nov 11, 2020
Merged
6 tasks
marcotc added a commit to DataDog/dd-trace-rb that referenced this issue Dec 7, 2020
@marcotc
Action: Fix milestone tagging not working for community PRs
c8030d0 
Reference issue: WordPress/gutenberg#17324 (comment)

Because the GitHub Action runs on our repository, it doesn't have permission to modify a community pull request, as those belong to the original forked repository.

This PR solves that by running the Action in the context of the original repository, by triggering from the `pull_request_target` event, instead of `pull_request`.
@marcotc marcotc mentioned this issue Dec 7, 2020
Merged
marcotc added a commit to DataDog/dd-trace-rb that referenced this issue Dec 8, 2020
@marcotc
Action: Fix milestone tagging not working for community PRs (#1278)
3693a83 
Reference issue: WordPress/gutenberg#17324 (comment)

Because the GitHub Action runs on our repository, it doesn't have permission to modify a community pull request, as those belong to the original forked repository.

This PR solves that by running the Action in the context of the original repository, by triggering from the `pull_request_target` event, instead of `pull_request`.
@aequitas aequitas mentioned this issue Feb 9, 2021
Merged
@mtazzari mtazzari mentioned this issue Mar 11, 2021
Open
@brdlyptrs brdlyptrs mentioned this issue Mar 18, 2021
Closed
@afinetooth afinetooth mentioned this issue Apr 28, 2021
Closed
@akshayka akshayka mentioned this issue Jun 9, 2021
Merged
5 tasks
@paul121 paul121 mentioned this issue Nov 2, 2021
Merged
littleRoundaer added a commit to littleRoundaer/sbt-native-packager that referenced this issue Jul 19, 2022
@littleRoundaer @muuki88
Remove labeler as it is broken for forks
4c7a1d8 
See WordPress/gutenberg#17324
@ablok ablok mentioned this issue Oct 28, 2022
Merged
This was referenced Aug 21, 2023
Merged
Merged
@mattjmeier mattjmeier mentioned this issue Oct 24, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@talldan talldan

Labels
[Status] In Progress Tracking issues with work in progress [Type] Automated Testing Testing infrastructure changes impacting the execution of end-to-end (E2E) and/or unit tests. [Type] Bug An existing feature does not function as intended
Projects
None yet
Milestone
No milestone
6 participants
@ScottBrenner @talldan @skorasaurus @aduth @justfathi @frextrite