Actions not working correctly for forks

There are quite a few issues about GitHub Actions not working for forks of repositories, here are a few just for reference: 

This is just a few that I came across with similar issues when researching my problem. Essentially it comes down to this: for security purposes, we can’t give access to the GitHub API when someone is creating a PR from a fork.

In all of the places that I have seen this described they use an example similar to “someone could make a change to your workflow and steal your information” or something along those lines. But the problem I have with this categorisation is that it is  very heavy-handed and does not reflect the reality of the situation. 

There have been a number of GitHub Actions that have popped up that allow things like “labelling your PR” or “marking something as stale”, which seems like a perfect use case for GitHub Actions. But when applying Actions to an open-source project, none of these features are available to us because most PRs will come from forks.

In my case I have built an action that comments on a PR with the asset size difference that will be made with this PR, which is now completely useless for any open-source project as even commenting on a PR is not allowed by this security model.

I have considered baking an access token into my Action config that would always allow it to comment but unfortunately there is no scope available that just allows “commenting on issues”, so the only way that I would be able to fix this GitHub action would be to hard-code an access token that has a large set of credentials and save it in a publically visible config file. I am obviously not going to do this but I hope that I am making myself clear and we need to find some way to allow Actions defined on forks to have some sort of write access to the GitHub API.

2 Likes

Thanks for the feedback.  We agree that this is something that’s important, and these are workflows that we do want to enable.  But given the security implications, it’s also something that we’re being very careful and deliberate about designing.

I understand that it is something that you want to take care with before diving in, but do you have an idea of how much time that might be? 

I have spent a reasonable amount of time building a custom GitHub action that has now been rendered useless because of this issue :disappointed_relieved:I’m wondering should I wait for this to be solved or should I bail on GitHub actions and build a GitHub app at this stage? 

2 Likes

Hi @ethomson

Even we have developed an action https://github.com/cla-assistant/github-action, and it is not usable until this issue is resolved. 

The last I heard from the GitHub team is that this issue will be solved by the end of the year 2019. 

It will be great if you can give us some recent developments and insights on this topic from the GitHub standpoint. 

Best Regards,

Akshay

1 Like

I just implemented a workaround for the PRs from forked repos:  a CI job (that runs in the context of the forked repo) can post some artifacts, and a cron job (runs every 5 minutes) checks the result of those recent jobs, and can do any action desired because it runs in the context of the primary repo.

https://github.com/nyurik/auto_pr_comments_from_forks

My example posts CI run results to the PR as a comment.