Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: allow PRs from downstream forks to pass the rest of actions #252

Merged
merged 1 commit into from
Jul 27, 2023

Conversation

whentojump
Copy link
Member

@whentojump whentojump commented Jul 26, 2023

One of our current actions (MishaKav/pytest-coverage-comment@main) requires more permissions than usual, and for now any PR from external forks would fail at this step, due to GitHub's design.

In the "Set up job" section of each action's log, we can inspect the permissions for this particular run. Permissions like the below ones ("read/write") can pass MishaKav/pytest-coverage-comment@main.

GITHUB_TOKEN Permissions
  Actions: write
  Checks: write
  Contents: write
  Deployments: write
  Discussions: write
  Issues: write
  Metadata: read
  Packages: write
  Pages: write
  PullRequests: write
  RepositoryProjects: write
  SecurityEvents: write
  Statuses: write

On the other hand, if only "read" permissions are granted, like below, would fail MishaKav/pytest-coverage-comment@main.

GITHUB_TOKEN Permissions
  Contents: read
  Metadata: read
  Packages: read

And here's a short summary of permissions in several common cases:

  • Case 1: direct pushes to main within a repo/fork: depends on "Settings" -- "Actions" -- "General" -- "Workflow permissions", where you can control it's either "read" or "read/write".
  • Case 2: PRs that come form downstream forks: always "read", unless pull_request_target is specified as the trigerring condition -- and that's exactly what this PR does

Note:

  1. Before this PR gets merged: we'll have to directly push to this repository and create PRs within the repo
  2. After this PR gets merged: any WIP patches that were made prior to this commit will have to rebase themselves to include it before this change can take effect

Links:

@tianyin
Copy link
Member

tianyin commented Jul 26, 2023

This is awesome! Thank you very much for looking into it @whentojump

any WIP patches that were made prior to this commit will have to rebase themselves to include it before this change can take effect

I think it's fine as long as the PR passed the tests.

We only need to make the latest version green.

@whentojump
Copy link
Member Author

any WIP patches that were made prior to this commit

By that I actually mean PR 247, 249 and 250, but not more ancient ones.

PR 247, 249 and 250 happen to be all authored by myself... (Yeah I'm the only one who ever forked at all, thus the only one affected by this permission problem). They should be easy to rebase.

@whentojump
Copy link
Member Author

I'm going to merge this without further review because

  1. I experimented myself in other test repos and see expected results
  2. This is (weakly) blocking another PR (249), which in turn (strongly) blocks many incoming patches
  3. If this is still not working, the impact should be tiny and under control

@whentojump whentojump merged commit a487767 into main Jul 27, 2023
@whentojump whentojump deleted the ci-fix branch July 27, 2023 02:19
@whentojump
Copy link
Member Author

Looks like it's working. Enjoy the green check marks :) @tianyin

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants