There are quite a few issues about GitHub Actions not working for forks of repositories, here are a few just for reference:
- Make secrets available to builds of forks
- Run a GitHub action on
pull_requestfor PR opened from a forked repo
- GitHub action: Resource not accessible by integration
This is just a few that I came across with similar issues when researching my problem. Essentially it comes down to this: for security purposes, we can’t give access to the GitHub API when someone is creating a PR from a fork.
In all of the places that I have seen this described they use an example similar to “someone could make a change to your workflow and steal your information” or something along those lines. But the problem I have with this categorisation is that it is very heavy-handed and does not reflect the reality of the situation.
There have been a number of GitHub Actions that have popped up that allow things like “labelling your PR” or “marking something as stale”, which seems like a perfect use case for GitHub Actions. But when applying Actions to an open-source project, none of these features are available to us because most PRs will come from forks.
In my case I have built an action that comments on a PR with the asset size difference that will be made with this PR, which is now completely useless for any open-source project as even commenting on a PR is not allowed by this security model.
I have considered baking an access token into my Action config that would always allow it to comment but unfortunately there is no scope available that just allows “commenting on issues”, so the only way that I would be able to fix this GitHub action would be to hard-code an access token that has a large set of credentials and save it in a publically visible config file. I am obviously not going to do this but I hope that I am making myself clear and we need to find some way to allow Actions defined on forks to have some sort of write access to the GitHub API.