Is it possible to use GitHub Actions to manage an open source project? ie Fork PRs fail

I feel silly even typing that title as I’m sure I’ve missed something…

We have an open source project that is using GitHub Actions as the CI/CD and all has been working great for our team members.

But when someone outside of our organization forks our repo and submits a PR, our GHA fails due to missing tokens. I do understand that care must be taken to not expose secrets outside of the organization, but I also must believe that this is possible somehow, or GHA cannot be a viable CI/CD solution for open source projects.

I had thought that pull_request_target may solve that very issue, but we haven’t had luck there either.

Any info or pointers would be greatly appreciated :pray:

1 Like

What exactly fails? Can you share the workflow?

Sorry - I could have made my initial post much better.

When someone forks and creates a PR, it fails with a missing token: https://github.com/GetTerminus/terminus-oss/runs/1177183898?check_suite_focus=true#step:5:11

We tried using the newer pull_request_target but then the workflow is just skipped with no errors or messages: https://github.com/GetTerminus/terminus-oss/actions/runs/279005642

It looks like you’re setting the GITHUB_TOKEN env var using ${{ secrets.GH_TOKEN }} instead of ${{ secrets.GITHUB_TOKEN }}. Did you manually create this secret by passing in a personal access token? If so, is there a specific reason you’ve done this—i.e. are specific permissions required that aren’t provided by the regular token?

Secrets aren’t passed to workflows that run on forks so this is likely why this variable is turning up empty:

The only secret that is passed on to fork workflows is a read-only version of the GITHUB_TOKEN, so if you can switch to using that this workflow should run. Otherwise it would be good to hear what permissions this token needs in order to execute your workflow.

That is a great point. I remember needing to make that switch at some point when originally migrating to GHA, but it’s very possible it was needed for our release flow vs pr etc.

I just tried switching back and now see a branch error - so it seems the token was the issue. I’ll keep exploring my other issues.

Thanks for pointing me in the correct direction @thomasshaped

1 Like