ci: unblock fork PRs (SENTRY_CLIENT_ID fallback + fork-safe checkout)#813
Merged
ci: unblock fork PRs (SENTRY_CLIENT_ID fallback + fork-safe checkout)#813
Conversation
- build-binary/build-npm: fall back to a dummy SENTRY_CLIENT_ID when vars.SENTRY_CLIENT_ID isn't available (fork PRs). The resulting binary is only smoke-tested (--help) and never shipped, so any non-empty value works; tests already tolerate the dummy via test/preload.ts. - check-generated: fork PRs leave `ref` empty so checkout uses GITHUB_REF (PR merge SHA) instead of requesting a branch that only exists on the fork. Same-repo PRs still check out the branch head so auto-commit can push back. Fixes the three failures on PR #806.
Contributor
Codecov Results 📊✅ 138 passed | Total: 138 | Pass Rate: 100% | Execution Time: 0ms 📊 Comparison with Base Branch
✨ No test changes detected All tests are passing successfully. ✅ Patch coverage is 100.00%. Project has 1951 uncovered lines. Coverage diff@@ Coverage Diff @@
## main #PR +/-##
==========================================
- Coverage 95.21% 95.19% -0.02%
==========================================
Files 282 282 —
Lines 40577 40576 -1
Branches 0 0 —
==========================================
+ Hits 38633 38625 -8
- Misses 1944 1951 +7
- Partials 0 0 —Generated by Codecov Action |
Both values are referenced in multiple jobs/steps (build-binary, build-npm, build-docs). Moving them to the workflow-level `env:` block eliminates repetition and keeps the fork-PR fallback in one place.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 343bff7. Configure here.
Cursor Bugbot caught that SENTRY_AUTH_TOKEN is scoped to the production GitHub environment. Workflow-level env is evaluated before a job's environment: is applied, so hoisting it there would resolve the secret against repo-level secrets only — silently breaking sourcemap uploads. - build-binary / build-npm: re-add SENTRY_AUTH_TOKEN at step level. - build-docs: declare at job level so the `if: env.SENTRY_AUTH_TOKEN != ''` guard on the sourcemap-upload step can see it (job-level env is resolved after environment: is applied). SENTRY_CLIENT_ID stays at workflow level since it's a repo-level var, not environment-scoped.
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
BYK
added a commit
that referenced
this pull request
Apr 22, 2026
## Summary Follow-up to #813. The `Docs Preview` workflow (`docs-preview.yml`) tries to push to the base repo's `gh-pages` branch, but fork PRs get a read-only `GITHUB_TOKEN` and fail with HTTP 403 (`Permission to getsentry/cli.git denied to github-actions[bot]`). Observed on [PR #806 / run 24776423153](https://github.com/getsentry/cli/actions/runs/24776423153/job/72495750855?pr=806) after rebasing onto main. ## Fix Gate the `.nojekyll` setup step and the `Deploy Preview` step with `if: github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request'`. The build step still runs unconditionally so docs compilation errors surface on fork PRs — just no live preview published. ## Test plan - Same-repo PRs / pushes to main: unchanged, preview still deploys. - Fork PR #806: re-run CI after this merges; `preview` job should succeed (build + skip deploy).
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
check-generatedchecks outgithub.head_reffrom the base repo, but that branch only exists on the fork →git fetchexits 1.build-binaryandbuild-npmhard-fail because${{ vars.SENTRY_CLIENT_ID }}isn't reaching fork jobs (likely blocked by thegetsentryorg's "Send variables to fork PR workflows" policy).CI Statusfails because of (1) and (2).Fix
check-generatedcheckout: conditionref:on whether the app token step succeeded. Same-repo PRs keep the branch-head checkout (so auto-commit cangit pushregenerated docs back). Fork PRs leaverefempty →actions/checkoutdefaults toGITHUB_REF(the PR merge SHA, always fetchable from the base repo withgithub.token).build-binary/build-npmenv: fall back to a dummySENTRY_CLIENT_IDwhenvars.SENTRY_CLIENT_IDis empty. All tests in the repo already tolerate any non-empty value (seetest/preload.tsand the"test-client-id"defaults in e2e tests); CI smoke tests are--helponly. PR binaries never ship, so runtime OAuth paths aren't exercised.What doesn't change
main/release/**pushes still bake the realvars.SENTRY_CLIENT_IDinto the binary.script/build.tsandscript/bundle.tskeep their hard-fail guard — useful dev ergonomic for local builds.pull_request_target, no new secret exposure, no org-policy change.Test plan