Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request: pull_request_target support #27

Open
1 task done
carmocca opened this issue Sep 12, 2022 · 1 comment
Open
1 task done

Request: pull_request_target support #27

carmocca opened this issue Sep 12, 2022 · 1 comment

Comments

@carmocca
Copy link

carmocca commented Sep 12, 2022
edited
Loading

Is there an existing issue that is already proposing this?

  • I have searched the existing issues

Is your feature request related to a problem? Please describe it

This GitHub action requires access to a CCI_TOKEN. Because of GitHub's security, forks do not have access to secrets. So the CircleCI job will not trigger when the pull_request event is used:

Failed to trigger CircleCI Pipeline
  Error: Error: Request failed with status code 403
  Error: Request failed with status code 403

To resolve this, I thought of using the pull_request_target event, where CI runs with the base of the branch so secrets can be securely shared. Then checking out the HEAD of the PR to trick CircleCI into using this ref:

on:
- pull_request: 
+ pull_request_target:

jobs:
  # https://github.com/marketplace/actions/trigger-circleci-pipeline
  trigger-circleci:
    runs-on: ubuntu-latest
    steps:
+     - uses: actions/checkout@v3
+       with:
+         ref: ${{ github.event.pull_request.head.sha }}
      - uses: CircleCI-Public/trigger-circleci-pipeline-action@v1.0.5
        env:
          CCI_TOKEN: ${{ secrets.CCI_TOKEN }}

However, the triggering branch still points to master:

image

Describe the solution you'd like

Any suggestion on how to resolve this? I guess this logic would need to be adapted:

trigger-circleci-pipeline-action/index.js

Lines 17 to 28 in d8e1aed

const ref = context.ref;
const headRef = process.env.GITHUB_HEAD_REF;
const getBranch = () => {
if (ref.startsWith("refs/heads/")) {
return ref.substring(11);
} else if (ref.startsWith("refs/pull/") && headRef) {
info(`This is a PR. Using head ref ${headRef} instead of ${ref}`);
return headRef;
}
return ref;
};

Teachability, documentation, adoption, migration strategy

An addition to the README would be sufficient.

What is the motivation / use case for changing the behavior?

It should work for forks.
@carmocca carmocca mentioned this issue Sep 13, 2022
Merged
@KyleTryon
Copy link
Contributor

We have a very similar issue with Orb development, where we want people to send in PRs but we of course can not give access to secrets which publish orbs.

What we have done which seems to be the safest option, we review the PR manually and once satisfied, we checkout the branch and push it to a "local" branch on the origin.

It usually looks something like this:

gh pr checkout xx
git checkout -b test/pr-xx
git push --set-upstream origin test/pr-xx

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@carmocca @KyleTryon