Can't push to forked repository on the original repository's pull request with GITHUB_TOKEN

TL;DR:

Curretly, we can’t push to the forked repository with GITHUB_TOKEN in worlflow that is triggered by pull request for the original repository from the forked repository. Is it expected behavior?

FYI: We can push to the original repository with GITHUB_TOKEN in workflow that is triggered by pull request for the original repository from the original repository.

Details:

I want to create a workflow that prepares GitHub Pages to confirm pull requested change automatically. Here is a scenario I expect:

  1. Contributor forks the original repository to submit a pull request
  2. Contributor creates a topic branch on the contributor’s forked repository
  3. Contributor submits a pull request for the topic branch to the original repository
  4. GitHub Actions is triggered on the original repository
  5. The triggered GitHub Actions builds site and pushes the built site to the “gh-pages” branch on the contributor’s forked repository with GITHUB_TOKEN
  6. Contributor and maintainers can confirm the result of the change in the topic branch at https://${contributor_id}.github.io/${repository_name} [1]

[1] I know that GitHub Actions and GitHub Pages integration have a problem: https://github.community/t5/GitHub-Actions/Github-action-not-triggering-gh-pages-upon-push/td-p/26869

In this scenario, “git push forked gh-pages” in 5. is failed by “Permission to ${forked-repository} denied to github-actions[bot]”.

This scenario works well when we use the same repository instead of forked repository:

  1. Contributor creates a topic branch on the original repository
  2. Contributor submits a pull request for the topic branch to the original repository
  3. GitHub Actions is triggered on the original repository
  4. The triggered GitHub Actions builds site and pushes the built site to the “gh-pages” branch on the original repository with GITHUB_TOKEN
  5. Contributor and maintainers can confirm the result of the change in the topic branch at https://${original_repository_owner}.github.io/${repository_name} [1]

Here is a workflow file I created: https://github.com/apache/arrow-site/blob/ccdb39a0e32802bbb6c94961ac5f4deea730a932/.github/workflows/deploy.yml#L59-L77

It doesn’t work on pull request on the original repository: https://github.com/apache/arrow-site/pull/26/checks#step:8:40

It works on pull request on the same repository: https://github.com/kou/arrow-site/runs/227573664#step:8:40

2 Likes

This is expected behavior, as mentioned here https://help.github.com/en/github/automating-your-workflow-with-github-actions/virtual-environments-for-github-actions#token-permissions when running a pull_request form a fork the token can’t push contents to either repo.  This is to prevent melicious actors from using actions to poision upstrem or downstream repos.

Configuration-less code formatters like gofmt, black,  standard would be good to be able to autorun on inbound pull requests (especially during Hacktoberfest when many green developers jump on GitHub).  I can understand the security concerns of allowing all Actions to write back to the inbound pull requests.

It would be cool if GitHub could figure out a non-Actions based solution for running configurationless formatters in inbound pull requests.

3 Likes

Thanks. I understand.

In case anyone is looking for an up-to-date URL to the token permissions section of the docs it’s https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token.