Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use read-only token for Danger #2327

Closed
wants to merge 2 commits into from
Closed

Use read-only token for Danger #2327

wants to merge 2 commits into from

Conversation

pgwillia
Copy link
Member

@pgwillia pgwillia commented May 7, 2021
edited
Loading

Context

Starting March 1st, 2021 workflow runs that are triggered by Dependabot from push, pull_request, pull_request_review, or pull_request_review_comment events will be treated as if they were opened from a repository fork. This means they will receive a read-only GITHUB_TOKEN and will not have access to any secrets available in the repository.

Note that this DOES NOT allow developers the possibility to propose change sets from a fork of the repository. This hasn't been possible since the policy change in Travis.

Related to #2082

What's New

Changed Danger github action to use the read-only GITHUB_TOKEN

@pgwillia
Use read-only token for Danger
5a635b6 
Starting March 1st, 2021 workflow runs that are triggered by Dependabot from push, pull_request, pull_request_review, or pull_request_review_comment events will be treated as if they were opened from a repository fork. This means they will receive a read-only GITHUB_TOKEN and will not have access to any secrets available in the repository.
murny
murny previously approved these changes May 8, 2021
View reviewed changes
Copy link
Contributor

@murny murny left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CI builds look great 👍

A bit confused on the magic that makes this work? DANGER_GITHUB_API_TOKEN is a token that supplies access to our github Bot Account. So how does replacing it with GITHUB_TOKEN (which doesn't seem to be defined in our secrets) do the same thing but better?

Be interesting to see if Danger is still working by seeing it use our bot account to comment on PRs, then I'll accept this magic 😄.

I guess a easy way to test this if danger can still comment is to create a PR with an empty description or change your changelog entry to be less then 10 characters 🤔 .

Otherwise looks good to me, nice work investigating this 👍

Edit: If danger cannot make comments then seems maybe the missing link is we just need create a new secret token called GITHUB_TOKEN and add the same value we used for DANGER_GITHUB_API_TOKEN (and then remove DANGER_GITHUB_API_TOKEN). Basically just renaming DANGER_GITHUB_API_TOKEN to GITHUB_TOKEN.

This works because from the docs GITHUB_TOKEN is exposed, while other tokens do not get exposed?

Note: With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.

From https://docs.github.com/en/actions/reference/encrypted-secrets#using-encrypted-secrets-in-a-workflow

@pgwillia pgwillia force-pushed the 2282_danger_token branch from 61cf856 to b4fb10a Compare May 10, 2021 16:51
@pgwillia
try to trigger Danger commit message
947372a 
Trying to trigger a Danger response to prove that this might work as a solution.
@pgwillia pgwillia force-pushed the 2282_danger_token branch from b4fb10a to 947372a Compare May 10, 2021 16:58
@pgwillia
Copy link
Member Author

I'm a bit confused about the magic that makes this work too. Not going to merge until I can figure out if it's actually working.

@pgwillia pgwillia closed this May 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@murny murny murny left review comments

@ConnorSheremeta ConnorSheremeta Awaiting requested review from ConnorSheremeta ConnorSheremeta is a code owner

@lagoan lagoan Awaiting requested review from lagoan lagoan is a code owner

@mbarnett mbarnett Awaiting requested review from mbarnett

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pgwillia @murny