Potential workaround for using workflow with forks

[efb4f5ff-1298-471a-8973-3d47447115dc]

Hi there,

i just wanted to thank you for creating this awesome workflow! It perfectly fits our usecase.

I hope u have a nice day!

[danilo-delbusso]

Hi @efb4f5ff-1298-471a-8973-3d47447115dc
Thank you :)

FYI this repo is not being worked on because it doesn't support PRs opened from forks.

In fact, I can see you've had this issue when running it in your app (see here)

 (node:[15](https://github.com/FreeTubeApp/FreeTube/runs/5958363146?check_suite_focus=true#step:2:15)35) UnhandledPromiseRejectionWarning: HttpError: Resource not accessible by integration
    at /home/runner/work/_actions/danilo-delbusso/pr-review-labeller/v1.1.1/node_modules/@octokit/request/dist-node/index.js:86:21
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async runAction (/home/runner/work/_actions/danilo-delbusso/pr-review-labeller/v1.1.1/index.js:73:20)
(node:1535) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:1535) [DEP00[18](https://github.com/FreeTubeApp/FreeTube/runs/5958363146?check_suite_focus=true#step:2:18)] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

If you're using GITHUB_TOKEN, you'll only be able to use this action for PRs opened within the same repository.

If you're planning to support PRs opened from forks, you'll need to create an ad-hoc token from the repository settings, and give it: read permissions for the PRs, and readwrite permissions for the labels. GitHub doesn't offer this level of granularity in regards to permissions, so you'll likely give access to much more. Please read the docs carefully.

Otherwise, you can enable the option to Send write tokens to workflows from pull requests. However, this is a high risk option, as described in the docs.

See this comment for more information: xenserver/xenadmin#2875 (comment)

[efb4f5ff-1298-471a-8973-3d47447115dc]

Hi @efb4f5ff-1298-471a-8973-3d47447115dc Thank you :)

You're welcome @danilo-delbusso :)

FYI this repo is not being worked on because it doesn't support PRs opened from forks.

In fact, I can see you've had this issue when running it in your app (see here)

 (node:[15](https://github.com/FreeTubeApp/FreeTube/runs/5958363146?check_suite_focus=true#step:2:15)35) UnhandledPromiseRejectionWarning: HttpError: Resource not accessible by integration
    at /home/runner/work/_actions/danilo-delbusso/pr-review-labeller/v1.1.1/node_modules/@octokit/request/dist-node/index.js:86:21
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async runAction (/home/runner/work/_actions/danilo-delbusso/pr-review-labeller/v1.1.1/index.js:73:20)
(node:1535) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:1535) [DEP00[18](https://github.com/FreeTubeApp/FreeTube/runs/5958363146?check_suite_focus=true#step:2:18)] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

If you're using GITHUB_TOKEN, you'll only be able to use this action for PRs opened within the same repository.

If you're planning to support PRs opened from forks, you'll need to create an ad-hoc token from the repository settings, and give it: read permissions for the PRs, and readwrite permissions for the labels. GitHub doesn't offer this level of granularity in regards to permissions, so you'll likely give access to much more. Please read the docs carefully.

Otherwise, you can enable the option to Send write tokens to workflows from pull requests. However, this is a high risk option, as described in the docs.

See this comment for more information: xenserver/xenadmin#2875 (comment)

Thank you for all the information u have provided. We'll evaluate further internally if we want to create the token and take a risk with it.

[efb4f5ff-1298-471a-8973-3d47447115dc]

Hi @danilo-delbusso so we tried testing it out with creating a token like u suggested but it just doesnt seems to be working. We even tried to give all permission possible to the token but that also didnt work.

Edit: did u got it working like this or with another configuration? If so i would really like to know how.

[danilo-delbusso]

Hi @efb4f5ff-1298-471a-8973-3d47447115dc I did not test it I'm afraid.
You'll have to either wait for GitHub, use this function or possibly try this workaround (which I have not tested, either)

[efb4f5ff-1298-471a-8973-3d47447115dc]

Hi @danilo-delbusso thank you for ur reply
I've tested the workaround and it seems to be working perfectly but i still get the error. Do you think that i should be worried about that?

(node:1497) UnhandledPromiseRejectionWarning: TypeError: Cannot read property 'forEach' of undefined
    at /home/runner/work/_actions/Naturalclar/issue-action/v2.0.2/lib/index.js:4612:23
    at Array.forEach (<anonymous>)
    at /home/runner/work/_actions/Naturalclar/issue-action/v2.0.2/lib/index.js:4611:22
    at Generator.next (<anonymous>)
    at /home/runner/work/_actions/Naturalclar/issue-action/v2.0.2/lib/index.js:4591:71
    at new Promise (<anonymous>)
    at module.exports.360.__awaiter (/home/runner/work/_actions/Naturalclar/issue-action/v2.0.2/lib/index.js:4587:12)
    at Object.module.exports.360.exports.setIssueAssignee (/home/runner/work/_actions/Naturalclar/issue-action/v2.0.2/lib/index.js:4598:57)
    at /home/runner/work/_actions/Naturalclar/issue-action/v2.0.2/lib/index.js:4303:36
    at Generator.next (<anonymous>)
(node:1497) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:1497) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

[danilo-delbusso]

Hi @efb4f5ff-1298-471a-8973-3d47447115dc

Error seems to be related to another action, not the one in this repo. Looks like
https://github.com/Naturalclar/issue-action

I'd be happy to make changes to this one if you're encountering errors or similar.

[efb4f5ff-1298-471a-8973-3d47447115dc]

My apologies @danilo-delbusso i had send the wrong log. So the previous workflow (https://github.com/Naturalclar/issue-action) that i published the log of does work with the provided workaround but gives the error. Your workflow unfortunately gives me the same error as before and does not work. I have a hunch why the previous workflow does work and yours doesn't.

On the previous workflow i first used pull_request: but that didn't work. After that i used pull_request_target: and that one did work. At this moment it is not possible to use pull_request_target: with your workflow because it explicitly tells me to use pull_request:. Is it possible for u to make pull_request_target: available for your workflow?

edit: i can confirm that the issue is related to pull_request: because i have tested this with a third workflow. So 2/3 workflows that first didnt run because of this issue are now resolved thanks to the workaround u provided.

[danilo-delbusso]

My apologies @danilo-delbusso i had send the wrong log. So the previous workflow (https://github.com/Naturalclar/issue-action) that i published the log of does work with the provided workaround but gives the error. Your workflow unfortunately gives me the same error as before and does not work. I have a hunch why the previous workflow does work and yours doesn't.

On the previous workflow i first used pull_request: but that didn't work. After that i used pull_request_target: and that one did work. At this moment it is not possible to use pull_request_target: with your workflow because it explicitly tells me to use pull_request:. Is it possible for u to make pull_request_target: available for your workflow?

edit: i can confirm that the issue is related to pull_request: because i have tested this with a third workflow. So 2/3 workflows that first didnt run because of this issue are now resolved thanks to the workaround u provided.

Hi @efb4f5ff-1298-471a-8973-3d47447115dc thanks for looking into it yourself.

I have updated the action. You can use v1.2.3. It supports the use of either pull_request and pull_request_target.

I haven't tested it with the workaround you're using, so if you're encountering issues please let me know and I'll see what I can do

[efb4f5ff-1298-471a-8973-3d47447115dc]

Hi @danilo-delbusso, I've updated the workflow and i unfortunately get this error.

Run danilo-delbusso/pr-review-labeller@v1.2.3
Input checks completed.
Found 1 existing labels.
Found 1 PR reviews.
New PR labels: ["PR: changes requested"]
(node:1541) UnhandledPromiseRejectionWarning: HttpError: Resource not accessible by integration
    at /home/runner/work/_actions/danilo-delbusso/pr-review-labeller/v1.2.3/node_modules/@octokit/request/dist-node/index.js:86:21
    at processTicksAndRejections (internal/process/task_queues.js:97:5)
    at async runAction (/home/runner/work/_actions/danilo-delbusso/pr-review-labeller/v1.2.3/index.js:73:20)
(node:1541) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag `--unhandled-rejections=strict` (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)
(node:1541) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

This is how i set up the label-changes-requested.yml workflow that does work on other workflows.

name: Changes Requested
on:
  pull_request_review:
    types: [submitted]
  pull_request_target:
    types: [synchronize]
  workflow_run:
    workflows: ['Dummy workflow for label-changes-requested']
    types: [requested]

jobs:
  update-pr-labels:
    runs-on: ubuntu-latest
    name: Update PR Labels
    steps:
      - name: Update Labels
        uses: danilo-delbusso/pr-review-labeller@v1.2.3
        with:
          changes-requested-label-name: "PR: changes requested"
          updated-pr-label-name: "PR: waiting for review"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

The only things modified are the pull_request_target: and

workflow_run:
    workflows: ['Dummy workflow for label-changes-requested']
    types: [requested]

In order to let this workflow run successfully we also need a dummy workflow dummy-label-changes-requested.yml

name: Dummy workflow for label-changes-requested
on:
  pull_request_review:
    types: [submitted]
jobs:
  dummy:
    runs-on: ubuntu-latest
    steps:
      - run: echo "this is a dummy workflow that triggers a workflow_run; it's necessary because otherwise the repo secrets will not be in scope for externally forked pull requests"

If u want to check out a workflow that does work this way u can use my conflicts.yml

name: "Conflicts"
on:
  # So that PRs touching the same files as the push are updated
  push:
  # So that the `dirtyLabel` is removed if conflicts are resolve
  # We recommend `pull_request_target` so that github secrets are available.
  # In `pull_request` we wouldn't be able to change labels of fork PRs
  pull_request_target:
    types: [synchronize]
  workflow_run:
    workflows: ['Dummy workflow for conflicts']
    types: [requested]

jobs:
  main:
    runs-on: ubuntu-latest
    steps:
      - name: check if prs are dirty
        uses: eps1lon/actions-label-merge-conflict@releases/2.x
        with:
          dirtyLabel: "PR: merge conflicts / rebase needed"
          removeOnDirtyLabel: "PR: waiting for review"
          repoToken: "${{ secrets.GITHUB_TOKEN }}"
          commentOnDirty: "This pull request has conflicts, please resolve those before we can evaluate the pull request."
          commentOnClean: "Conflicts have been resolved. A maintainer will review the pull request shortly."

dummy workflow dummy-conflicts.yml

name: Dummy workflow for conflicts
on:
  pull_request_review:
    types: [submitted]
jobs:
  dummy:
    runs-on: ubuntu-latest
    steps:
      - run: echo "this is a dummy workflow that triggers a workflow_run; it's necessary because otherwise the repo secrets will not be in scope for externally forked pull requests"

Edit: i also want to note that i didnt change anything in our repo settings related to the links u provided. It is all set to default.

[danilo-delbusso]

@efb4f5ff-1298-471a-8973-3d47447115dc I am happy to take a look but you might have to wait a couple of weeks as I am quite busy at work lately. Feel free to send a reminder here or via mail.

If you want to submit a PR, I'd be happy to review it, too.

[efb4f5ff-1298-471a-8973-3d47447115dc]

@efb4f5ff-1298-471a-8973-3d47447115dc I am happy to take a look but you might have to wait a couple of weeks as I am quite busy at work lately. Feel free to send a reminder here or via mail.

If you want to submit a PR, I'd be happy to review it, too.

@danilo-delbusso i have no problem with waiting :)
Im unfortunately not that knowledgeable on workflows/github actions to submit a PR :(
Also i like to have said that i really appreciate ur help on this!

[efb4f5ff-1298-471a-8973-3d47447115dc]

@efb4f5ff-1298-471a-8973-3d47447115dc I am happy to take a look but you might have to wait a couple of weeks as I am quite busy at work lately. Feel free to send a reminder here or via mail.

Hi @danilo-delbusso just sending u a ping as a reminder of this issue.