make workflows on PRs from forks work again (#41577)

qgis · Feb 16, 2021 · 1d53f75497a503126920b31ed2966cc6e7d6f4df · 1d53f75
1 parent 01889d9
commit 1d53f75497a503126920b31ed2966cc6e7d6f4df
Unified Split

Showing with 5 additions and 26 deletions.

+2 −9 .github/workflows/pr-needs-docs-message.yml

+0 −1 .github/workflows/pr_to_doc_issue.md

+3 −16 .github/workflows/pr_to_doc_issue.yml
diff --git a/.github/workflows/pr-needs-docs-message.yml b/.github/workflows/pr-needs-docs-message.yml
@@ -1,7 +1,7 @@
 name: Ping PR author about documentation
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - opened
       - labeled
@@ -10,19 +10,12 @@ jobs:
     if: github.event.label.name == 'Needs Documentation'
     runs-on: ubuntu-latest
     steps:
-      # obfuscate the github token so it can be used on jobs triggered from forks
-      - name: Clear GH Token
-        id: token
-        uses: opengisch/clear-token@v1.0.12
-        with:
-          bot_token_encrypted: ddbdec32940df79f1adf2369b4b10f10b5a66f65
-          bot_token_xor_key: a1b2c3d47311f8e29e204f85a81b4df4a44e252c
 
       # write comment to ping the PR author
       - name: Create comment
         uses: peter-evans/create-or-update-comment@v1
         with:
-          token: ${{ steps.token.outputs.token }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           issue-number: ${{ github.event.pull_request.number }}
           body: |
             @${{ github.event.pull_request.user.login }}

diff --git a/.github/workflows/pr_to_doc_issue.md b/.github/workflows/pr_to_doc_issue.md
@@ -16,5 +16,4 @@ Example:
 ## How it works
 
 * A Github [workflow]( https://github.com/qgis/QGIS/blob/master/.github/workflows/pr_to_doc_issue.yml) takes care of creating the issue and commenting.
-* To make it works on jobs triggered from forks (almost all PRs actually), the Github token has to be manually given. Since it cannot be written in clear, an [action](https://github.com/opengisch/clear-token) obfuscates its using xor encryption.
 * The labels on QGIS-Documentation are deduced from the PR milestone (e.g. 3.10.2 => 3.10). To label issues, push access is required. Due to security reasons (the token appears in clear), qgis-bot has no specific rights. Labels are created using a [workflow](https://github.com/qgis/QGIS-Documentation/blob/master/.github/workflows/auto-label.yml).
diff --git a/.github/workflows/pr_to_doc_issue.yml b/.github/workflows/pr_to_doc_issue.yml
@@ -2,7 +2,7 @@
 name: Documentation issue for labeled PR
 
 on:
-  pull_request:
+  pull_request_target:
     types:
       - closed
       - labeled
@@ -13,15 +13,6 @@ jobs:
     name: Create issue on doc repo for labeled issue
     steps:
 
-      # obfuscate the github token so it can be used on jobs triggered from forks
-      - name: Clear GH Token
-        if: github.event.pull_request.merged && ( ( github.event.action == 'closed' && contains( github.event.pull_request.labels.*.name, 'Needs Documentation') ) || github.event.label.name == 'Needs Documentation' )
-        id: token
-        uses: opengisch/clear-token@v1.0.12
-        with:
-          bot_token_encrypted: ddbdec32940df79f1adf2369b4b10f10b5a66f65
-          bot_token_xor_key: a1b2c3d47311f8e29e204f85a81b4df4a44e252c
-
       # transform the milestone (e.g. 3.10.4) to a doc label (3.10)
       - name: QGIS milestone to Doc label
         if: github.event.pull_request.merged && ( ( github.event.action == 'closed' && contains( github.event.pull_request.labels.*.name, 'Needs Documentation') ) || github.event.label.name == 'Needs Documentation' )
@@ -39,8 +30,6 @@ jobs:
         if: github.event.pull_request.merged && ( ( github.event.action == 'closed' && contains( github.event.pull_request.labels.*.name, 'Needs Documentation') ) || github.event.label.name == 'Needs Documentation' )
         id: get_pr_info
         uses: octokit/request-action@v2.x
-        env:
-          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
         with:
           route: GET /repos/qgis/QGIS/pulls/:pull_number
           pull_number: ${{ github.event.pull_request.number }}
@@ -59,8 +48,6 @@ jobs:
         if: github.event.pull_request.merged && ( ( github.event.action == 'closed' && contains( github.event.pull_request.labels.*.name, 'Needs Documentation') ) || github.event.label.name == 'Needs Documentation' )
         uses: octokit/request-action@v2.x
         id: get_pr_commits
-        env:
-          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
         with:
           route: GET /repos/qgis/QGIS/pulls/:pull_number/commits
           pull_number: ${{ github.event.pull_request.number }}
@@ -81,7 +68,7 @@ jobs:
         id: doc_issue
         uses: maxkomarychev/oction-create-issue@v0.7.1
         with:
-          token: ${{ steps.token.outputs.token }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           owner: qgis
           repo: QGIS-Documentation
           title: ${{ format('{0} (Request in QGIS)', github.event.pull_request.title) }}
@@ -107,7 +94,7 @@ jobs:
         if: github.event.pull_request.merged && ( ( github.event.action == 'closed' && contains( github.event.pull_request.labels.*.name, 'Needs Documentation') ) || github.event.label.name == 'Needs Documentation' )
         uses: peter-evans/create-or-update-comment@v1
         with:
-          token: ${{ steps.token.outputs.token }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           issue-number: ${{ github.event.pull_request.number }}
           body: |
             @${{ github.event.pull_request.user.login }}