Is it possible to use GitHub Actions to manage an open source project? ie Fork PRs fail #25501
-
I feel silly even typing that title as I’m sure I’ve missed something… We have an open source project that is using GitHub Actions as the CI/CD and all has been working great for our team members. But when someone outside of our organization forks our repo and submits a PR, our GHA fails due to missing tokens. I do understand that care must be taken to not expose secrets outside of the organization, but I also must believe that this is possible somehow, or GHA cannot be a viable CI/CD solution for open source projects. I had thought that Any info or pointers would be greatly appreciated 🙏 |
Beta Was this translation helpful? Give feedback.
Replies: 4 comments
-
What exactly fails? Can you share the workflow? |
Beta Was this translation helpful? Give feedback.
-
Sorry - I could have made my initial post much better. When someone forks and creates a PR, it fails with a missing token: https://github.com/GetTerminus/terminus-oss/runs/1177183898?check_suite_focus=true#step:5:11 We tried using the newer |
Beta Was this translation helpful? Give feedback.
-
It looks like you’re setting the Secrets aren’t passed to workflows that run on forks so this is likely why this variable is turning up empty: docs.github.comEncrypted secrets - GitHub DocsThe only secret that is passed on to fork workflows is a read-only version of the |
Beta Was this translation helpful? Give feedback.
-
That is a great point. I remember needing to make that switch at some point when originally migrating to GHA, but it’s very possible it was needed for our release flow vs pr etc. I just tried switching back and now see a branch error - so it seems the token was the issue. I’ll keep exploring my other issues. Thanks for pointing me in the correct direction @thomasshaped |
Beta Was this translation helpful? Give feedback.
It looks like you’re setting the
GITHUB_TOKEN
env var using${{ secrets.GH_TOKEN }}
instead of${{ secrets.GITHUB_TOKEN }}
. Did you manually create this secret by passing in a personal access token? If so, is there a specific reason you’ve done this—i.e. are specific permissions required that aren’t provided by the regular token?Secrets aren’t passed to workflows that run on forks so this is likely why this variable is turning up empty:
docs.github.com
Encrypted secrets - GitHub Docs
The only secret that is passed on to fork workflows is a read-only version of the
GITHUB_TOKEN
, so if you can switch to using that this workflow should run. Otherwise it would be good to hear what per…