How to auto merge pr from fork

I have been working on a project like first-contribution. Where newcomers have to commit a new file with their name into the repo. For this, I am trying to make a GitHub action which auto-merge the pr if every check has passed. I am using pascalgn/automerge-action for the same purpose.

It gives Failed to merge PR: Resource not accessible by integration error if someone from outside the organization opens a pr. After reading on the internet I learn that the problem is forks do not have a write permission to the repo and their pr can not get auto merged. PR form the organization’s owner or member get merged automatically but not from an outsider.

After reading this I have ticked first two options under organization settings but it’s still not working and gives the same error.

Thank you.

What “on” event are you using?

Assuming you mean your “first-bit” repo then you need to use pull_request_target as your on event (vs. pull_request).

For your checkout you want to make sure you checkout the PR content:

    - name: Checkout
      uses: actions/checkout@v2
      with:
        ref: ${{github.event.pull_request.head.ref}}
        repository: ${{github.event.pull_request.head.repo.full_name}}
1 Like

@Janglee123 ,

Yes, I can reproduce the same issue.
I also tried other similar actions that wrap the “Merge a pull request” API, get the same error message “Resource not accessible by integration”.
I directly run the “Merge a pull request” API in the workflow, get the same error message “Resource not accessible by integration”.

Looks like, the feature “Run workflows from fork pull requests” does not work as designed.
I have created an issue ticket (actions/virtual-environments#1609) to report this issue to the appropriate engineering team for further investigation and evaluation.

You can follow this issue ticket and add your comments to it.

1 Like

@Janglee123 Hi! Thank you for reporting this. Is the repository you’re trying to merge the pull request into public or private?

@jclem Thanks for your interest, The repo is public.

Ah, and I also just saw the accepted answer. We never send secrets to workflows run from the pull_request event on public repo forks. This would allow any user to access your secrets simply by forking the repository and creating a PR that updates the workflow. Instead, @kingthorin is correct that pull_request_target is the correct event to use if you want to do something that requires write access to the repo, such as merging a PR.

However, the “Run workflows from fork pull requests” only applies to private repositories—we have no plans to enable this setting for public repositories due to the potential for stealing secrets and accidentally granting any user write access to the public repository.

Edit Just to be more explicit about why we don’t intend to support this for public repositories—since workflows on the pull_request event run from the merge commit of the pull request, a user could fork an open source repository, update the workflow to echo $SOME_SECRET, and then open a pull request. If that repository had secrets or write tokens enabled, the opener of the PR would be able to write to the repository and read its secrets.

3 Likes