-
TL;DR: Curretly, we can’t push to the forked repository with GITHUB_TOKEN in worlflow that is triggered by pull request for the original repository from the forked repository. Is it expected behavior? FYI: We can push to the original repository with GITHUB_TOKEN in workflow that is triggered by pull request for the original repository from the original repository. Details: I want to create a workflow that prepares GitHub Pages to confirm pull requested change automatically. Here is a scenario I expect:
[1] I know that GitHub Actions and GitHub Pages integration have a problem: https://github.community/t5/GitHub-Actions/Github-action-not-triggering-gh-pages-upon-push/td-p/26869 In this scenario, “git push forked gh-pages” in 5. is failed by “Permission to ${forked-repository} denied to github-actions[bot]”. This scenario works well when we use the same repository instead of forked repository:
Here is a workflow file I created: https://github.com/apache/arrow-site/blob/ccdb39a0e32802bbb6c94961ac5f4deea730a932/.github/workflows/deploy.yml#L59-L77 It doesn’t work on pull request on the original repository: https://github.com/apache/arrow-site/pull/26/checks#step:8:40 It works on pull request on the same repository: https://github.com/kou/arrow-site/runs/227573664#step:8:40 |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments
-
This is expected behavior, as mentioned here https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#token-permissions when running a pull_request form a fork the token can’t push contents to either repo. This is to prevent melicious actors from using actions to poision upstrem or downstream repos. |
Beta Was this translation helpful? Give feedback.
-
Configuration-less code formatters like gofmt, black, standard would be good to be able to autorun on inbound pull requests (especially during Hacktoberfest when many green developers jump on GitHub). I can understand the security concerns of allowing all Actions to write back to the inbound pull requests. It would be cool if GitHub could figure out a non-Actions based solution for running configurationless formatters in inbound pull requests. |
Beta Was this translation helpful? Give feedback.
-
Thanks. I understand. |
Beta Was this translation helpful? Give feedback.
-
In case anyone is looking for an up-to-date URL to the token permissions section of the docs it’s https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token. |
Beta Was this translation helpful? Give feedback.
-
I’m still a bit confused as to whether it’s possible to supply a secondary token that isn’t GITHUB_TOKEN which will be able to push back to PR branches. Is that possible to set up, and if so, what permissions does it need? |
Beta Was this translation helpful? Give feedback.
-
Since PRs default to allow updates from maintainers then you could create a maintainer bot account and use a PAT to commit to PR forks. I’m not sure about the specific permissions needed. |
Beta Was this translation helpful? Give feedback.
This is expected behavior, as mentioned here https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#token-permissions when running a pull_request form a fork the token can’t push contents to either repo. This is to prevent melicious actors from using actions to poision upstrem or downstream repos.