Action triggered on a merged PR needs access to a secret

Hey,

I’m trying to create an action which will invite a contributor whos PR gets merged, to an organization.

I have almost finished it, but I have a pretty annoying problem now because workflow triggered by a PR merged to the main repo from the user’s repository doesn’t have access to the secrets, and I need a secret(public access token) to provide it to the GitHub API to invite a user.

How could one solve this?

Hi,

Thanks for your feedback! It’s not supported, please check below:

  1. With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository. Link below:

https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets#using-encrypted-secrets-in-a-workflow

  1. In the workflow which triggered by pull request from forked repo, ‘secrets.GITHUB_TOKEN’ has only ‘read’ permission, it is lack of permission to be used in API to invite users. Link below:

https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token#permissions-for-the-github_token

Thanks.

You can try to use push event to trigger a workflow in your repository, and then in the action you can parse the detailed information about the push and try to invite the user if it is a merge commit from other repos.

yup, that’s what I did

instead of running the action on closing the PR I’m running it on a new commit on master, this has to be triggered by someone with ‘write rights’ to the repo, therefore, it has access to the repo secrets.

It’s a bit harder to check if the commit is a merge commit and we have to explicitly fetch more info about the PR, but it works. Source code of an action I was trying to build if someone is interested: https://github.com/lekterable/inclusive-organization-action