Github Workflow not running from pull request from forked repository

Started a thread with Github folks, referencing this thread. 

4 Likes

Thanks, keep me posted @jiria 

1 Like

Hi @jiria Is there any update ? 

No response yet. I double checked the ticket, turns out my email response was not recorded. So I have responded directly through the webform. I will report back here as soon as I hear back from Github support.

Currently we do not support running PRs from forks for private repos as we are trying to figure out some of the security issues associated with that.  This is something we are looking to address by GA.

7 Likes

Dear @chrispat  ,  Thank you for your response.

For Open Source Projects,  Currently lot of actions  such as coverallslabeller, unit tests, doesn’t work and fails with  *Resource Not Accessible by Integration*  error, for the Pr coming from Forked repos. This is because The permissions for the GITHUB_TOKEN in forked repositories is read-only for all the events. As we are getting more than 90 %  of the contributions from the Forked Repositories, I’d like to use the above mentioned actions for showing up code coverage, labeller, unit tests  in the Pull_request_comment. I think If there is a way to trigger the workflow in the upstream branch for this use-case, then This problem can be solved, or there should be read/write access at least for the Pull Request (access by forked repositories) as this is not critical and won’t have write access to the content of the base repository.  

As I already mentioned, since we get contributions only from the forked repos, this is a must have feature. Others have already reported in multiple other discussions and please tell us if there is any workaround solution to enable action commenting on the PR  coming from the forked repositories. 

Thanks in Advance. 

10 Likes

“Looking to address by GA”

What is GA in this context?

Thanks for keeping us updated- we are also unable to make use of Actions on our corporate repos until this is resolved.

1 Like

EDIT:

Currently we do not support running PRs from forks for private repos as we are trying to figure out some of the security issues associated with that.  This is something we are looking to address by GA.

This is the case for public repositories too right? Forks only have a RO  access token hence merging of PRs or addition/removal of labels cannot be automated. However, according to Github documentation, pull_request events are triggered for the base repo ONLY and hence this workflow could theoretically be automated. So was this change to block events to base repository intended? If so can this be regarded as a  temporary change until a proper security solution is found?

3 Likes

GA = General Availability

2 Likes

What about running PR from fork/branchA to fork/branchB? Original repo is not touched in this case. Fork is public. Is it bug or somehow affected by security reasons?

@chrispat with General Availability fast approaching, I was wondering how sorting out the security issues for private repos was progressing.

1 Like

Unfortuately we were not able to addres the private repo and private fork scneario.  It is something we still do plan to address but I do not have a delivery date at the moment.

@chrispat Thank you for the update. Were you able to address this https://github.community/t5/GitHub-Actions/Github-Workflow-not-running-from-pull-request-from-forked/m-p/33547/highlight/true#M1555 critical issue for PR coming from the forked repo with a security model in place ??.. 

1 Like

We have work going on to enable that scneario but the changes where deeper than just the actions token for a number of reasons.  I expect we will ship that before the end of the year.

5 Likes

that will be great and thank you very much for the update …

What a pity - we are going to upgrade our organization to GitHub Team level, but this feature is very very desirable, since we manage our repos changes using PR’s from forked repos. Any idea when pull-request event for private repos forks will work?

Hey, @chrispat, do you have anything to share with us? Github Actions will be GAd in a couple of days, right? (Github Universe 2019)?

1 Like

This is not something we have been able to solve yet unfortuately.  

wow, talking about timing, just saw you just replied. I may be oversimplifying things, but if we are concerned on bad actors changing GitHub actions via PR and leak secrets, why not just prohibit all forks from editing a GitHub action? That way, it’s impossible for a bad actor maliciously to change a GitHub action. My issue is PR not being triggered via forks. If it’s read-only then problem solved right?

@thisguychris No it’s not solved since you could still leak secrets from the code that’s being tested.

1 Like