Support PRs from fork

[drdanz]

When trying to rebase a PR from a fork repository, the action fails with this message:

"PRs from forks are not supported at the moment."

It would be very useful if this was supported.

From the git point of view it shouldn't be very difficult to do, something like this should do the trick (untested, but should work):

 # make sure branches are up-to-date
 git fetch origin $BASE_BRANCH
-git fetch origin $HEAD_BRANCH
+
+git remote add fork https://x-access-token:$GITHUB_TOKEN@github.com/$HEAD_REPO.git
+git fetch fork $HEAD_BRANCH
 
 # do the rebase
-git checkout -b $HEAD_BRANCH origin/$HEAD_BRANCH
+git checkout -b $HEAD_BRANCH fork/$HEAD_BRANCH
+git rebase origin/$BASE_BRANCH
 
 # push back
-git push --force-with-lease
+git push --force-with-lease fork $HEAD_BRANCH

My only issue is that I don't know if the GITHUB_TOKEN works also on fork repositories

[fkorotkov]

Unfortunately, GITHUB_TOKEN was not working with forks at the time. I don't think anything change. There was an issue on https://github.community/ about the problems but I wasn't able to find it now. 🤔

[drdanz]

I was able to solve a similar issue (pushing on protected branches) in a different action.

Instead of using GITHUB_TOKEN for the push, the user creates a secret (e.g. FOO_TOKEN) that contains the token of one of the developers of the project, adds it to the environment, and adds an option (push_token) that contains the name of that secret.

The same thing should work for PRs from forks, assuming that the Allow edit from maintainers option is checked.

I hope this helps...

[fkorotkov]

@drdanz seems your workaround will work for the action then! You can create GITHUB_OAUTH_TOKEN variable from your personal OAuth token and use it with the action:

env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_OAUTH_TOKEN }}

Then action will act on your user's behalf 🤔

[sobolevn]

What are the risks of including a personal token in a Github Action?
What scopes should it have?

[ljharb]

Secrets are not exposed to PRs from forks, so this is not a viable workaround.

[vorburger]

Background: https://issues.apache.org/jira/browse/FINERACT-829

Is there really no way around this? I've reached out to ask GitHub Support for any advice, let's see.

https://github.com/tibdex/autosquash seems another action that is vaguely similar to this one (only in the sense that it also does stuff to commits on PRs) - does anyone understand how that gets around this problem? @tibdex do you want to chime in here?

[drdanz]

@vorburger #17 addresses this issue.
I've been using it successfully from my branch for several months now, see https://github.com/robotology/yarp/blob/master/.github/workflows/rebase-pr.yml

[ljharb]

I've been using a fork of this: https://github.com/ljharb/rebase which works, but the automatic rebase + force push doesn't work on fork PRs (the majority) because github actions' user doesn't have the same permissions as collaborators. I don't think there's a workaround yet short of running your own server.

[gep13]

Apologies for commenting on an older issue, but I was hoping to follow up with @drdanz regarding this comment:

@drdanz said...
I've been using it successfully from my branch for several months now, see https://github.com/robotology/yarp/blob/master/.github/workflows/rebase-pr.yml

You seem to be using a rebase action from your own fork, and your entrypoint.sh seems to be a bit different to the entrypoint.sh contained within this repo. Can you perhaps help me understand what is different on your fork? I would really like a reliable way to rebase PR's from forks, but this action doesn't quite do what I was hoping, and I was wondering what your fork of it might do. Thanks

[vorburger]

FYI it now works great for us on https://github.com/apache/fineract/

[gep13]

@vorburger do you also rebase PR's from forks into the repository? That is where I was still seeing issues. If so, what happens if someone who doesn't have contributor rights to the organisation uses the `/rebase' command?

[gep13]

And by PR's I mean PR's from other forks other than your own. Thanks for getting back to me about this, I appreciate it!

[vorburger]

In our project (Apache Fineract), the person typing /rebase is typically a maintainer (committer). It definitely works even for forks for us, between commiters, but also if the PR is from a contributor (who doesn't have push permission). -- I think they need to have that flag about "let others update this PR" thing, which seems to be on, by default. What I'm not sure if it works is for a contributor to use /rebase. I'd imagine for their own PR it should - why wouldn't it? Try... But it may not for others' - but perhaps you'd consider that "a feature, not a big"(tm)... ;-)

…

[revolter]

What scopes should it have?

I want to know this too.