-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolve permissions error when preview is initiated from fork #3
Comments
As recommended by the linked article, the flow I'm going to go with is a
Downside to Also, the action currently strongly assumes that it's going to be run from a That'll mean that I need to be able to pass it all the values that it would normally take directly from the pull request, via parameter instead. I can probably just set the defaults to the pull request values. |
Would an option here be to have an example that uses I'm planning to set up a local action this way to support preview until |
Good idea, if perhaps a little complex to set up and then have your team remember. Depending on the scope of your project, at that point it may be a better idea to outsource that work to somewhere you know it's been done correctly e.g. Netlify, Vercel. |
We can only publish PR previews from the original repository. The action fails when the PR originates from a forked repository. For details, see rossjrw/pr-preview-action#3.
Forks cannot initiate previews using default GH action token. See rossjrw/pr-preview-action#3 for details
Not knowledgeable about this workflow, but I've been reading the docs and a few issues and I was wondering to get past this security problem is there no way to prompt the repository owners to allow deployment of a preview for the created PR. Ie: Require the owner to click a button or put a comment and only preview the PR after that? |
@Fir121 Yes, the button you describe is possible - have a look at Deployment Reviews. I learned about this just the other day from @aspiers in #6 (comment) There's any number of things you could put between a forked PR and that PR's preview running your repo with elevated permissions, and you could do any of those things right now, but I'm still wary at this time. That being said, if you happen to take the time to put together something functional that uses this or something like this, I'd be happy to have a look and see if I feel it's worth recommended in this documentation. |
https://github.com/scpwiki/interwiki/runs/5834681840?check_suite_focus=true
This workflow run failed because it did not have permission to push to the upstream repository.
I believe this happened because the workflow was executed from the fork. The
pull_request
event is executed in the context of the merge commit, whereas thepull_request_target
event is executed in the base repository. For internal PRs, these are identical; for forks, they are not. In particular this means that the action will not have permission to push to the repository when using thepull_request
event type, as its GITHUB_TOKEN lacks that permission.Switching to the
pull_request_target
event might resolve this, but there are security considerations to take into account: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/Changes shouldn't be needed to this action, but I will need to amend documentation to cover this use case. The README is getting pretty bloated - I should take this chance to move some of the code samples into the repository proper.
The text was updated successfully, but these errors were encountered: