Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run preview.yaml without secret key #38

Merged
merged 1 commit into from
Apr 18, 2024
Merged

Run preview.yaml without secret key #38

merged 1 commit into from
Apr 18, 2024

Conversation

b10n1k
Copy link
Collaborator

@b10n1k b10n1k commented Apr 10, 2024
edited
Loading

To avoid the use of secret variable in CI which breaks the pr-preview-action when it runs from forked repo, the preview.yaml is updated to use pull_request_target event instead of pull_request. Permissions are removed as the GITHUB_TOKEN is granted read/write repository permission by default for that event.

https://progress.opensuse.org/issues/158236

okurz
okurz reviewed Apr 11, 2024
View reviewed changes
Copy link
Member

@okurz okurz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, did you try it out? Why draft? I would be ok to just merge to actually try it out if there is no better way to test

perlpunk
perlpunk previously requested changes Apr 11, 2024
View reviewed changes
Copy link
Contributor

@perlpunk perlpunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this change this workflow will now be called from the main branch and only test the code from the main branch, so it's pointless this way.
The new code from the PR has to be checked out manually.

@b10n1k
Copy link
Collaborator Author

b10n1k commented Apr 11, 2024

The new code from the PR has to be checked out manually

i removed the branch, so it should run for every push.

perlpunk
perlpunk reviewed Apr 11, 2024
View reviewed changes
.github/workflows/backlogger.yaml Outdated
@@ -3,7 +3,6 @@ name: Backlog Limits Checker Preview
# yamllint disable-line rule:truthy
on:
push:
branches: ['main']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to stay there. We only want to deploy for commits on the main branch.

@perlpunk
Copy link
Contributor

The new code from the PR has to be checked out manually

i removed the branch, so it should run for every push.

What I mean is: pull_request_target checks out the main branch. You cannot just convert pull_request to pull_request_target and everything works the same.
https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

This event runs in the context of the base of the pull request, rather than in the context of the merge commit, as the pull_request event does. This prevents execution of unsafe code from the head of the pull request that could alter your repository or steal any secrets you use in your workflow.

Since we decided that we want to run unsafe code from the PR explicitly, we need to check out that branch.

@b10n1k b10n1k marked this pull request as ready for review April 12, 2024 08:40
@b10n1k
Copy link
Collaborator Author

b10n1k commented Apr 12, 2024
edited
Loading

The new code from the PR has to be checked out manually

i removed the branch, so it should run for every push.

What I mean is: pull_request_target checks out the main branch. You cannot just convert pull_request to pull_request_target and everything works the same. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

This event runs in the context of the base of the pull request, rather than in the context of the merge commit, as the pull_request event does. This prevents execution of unsafe code from the head of the pull request that could alter your repository or steal any secrets you use in your workflow.

Since we decided that we want to run unsafe code from the PR explicitly, we need to check out that branch.

I think i got it but i am struggled to understand some concepts with pull_request_target and what it takes to checkout the PR and run against it. @perlpunk please check again 883aa24

@b10n1k
Run preview.yaml without secret key
883aa24 
To avoid the use of secret variable in CI which breaks the pr-preview-action
when it runs from forked repo, the preview.yaml is updated to use
pull_request_target event instead of pull_request. Permissions are removed as
the GITHUB_TOKEN is granted read/write repository permission by default for
that event.

https://progress.opensuse.org/issues/158236

Signed-off-by: ybonatakis <ybonatakis@suse.com>
@b10n1k b10n1k requested a review from perlpunk April 12, 2024 08:47
okurz
okurz approved these changes Apr 12, 2024
View reviewed changes
Copy link
Member

@okurz okurz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a not-critical project so I would simply have that quickly merged and see what happens

@perlpunk perlpunk dismissed their stale review April 12, 2024 11:04

changes were made

@perlpunk perlpunk merged commit 38d6dfc into openSUSE:main Apr 18, 2024
1 check passed
@perlpunk
Copy link
Contributor

#40 is not doing what's expected.
Possibly because the action is actually doing a checkout itself: https://github.com/openSUSE/backlogger/blob/main/action.yaml#L32

@b10n1k b10n1k deleted the workaround_forked_ci branch April 22, 2024 07:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@perlpunk perlpunk perlpunk approved these changes

@okurz okurz okurz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@b10n1k @perlpunk @okurz