Optional read/write permission for forked repos

I am using **GITHUB\_TOKEN** secret to make authenticated GitHub API calls on behalf of an action.

I am the maintainer of CLA Assistant OAuth App and by seeing the amazing capabilities of Github Actions, we are now developing **CLA Lite GitHub Action**. The contributors data will be stored in the file-system (json file) inside the repository of where the **CLAAssistant.yml** is configured.

However, we just come to know that there is only read Access but no write access  when there is a Pull Request from the forked Repository, So the contributors details from the forked repository cannot be written in a file of the base repository since The permissions for the GITHUB_TOKEN in forked repositories is read-only.

It will be great If the GITHUB_TOKEN permission can be optionally read/write and default is only read for the forked repos. And also, please suggest If there is any other work around for this use-case.

At the moment, secrets are indeed limited for forks.  As you point out, the GITHUB_TOKEN variable provided to forks is read-only, and secret variables are not provided to forks at all.

We may have some more advanced secrets management in the future, but we don’t have plans to give forks the ability to write to the main repository directly.

1 Like

Hi Thomson,

Thank you very much for the quick response.

It will be great, If can you suggest if is there any way we can store and retrieve metadata such as Contributors Name and Id  inside the GitHub environment itself when using Actions?.

We thought  simply storing in a file inside  the base repo will do, However you made it clear that it  work from the forked repo. So we should think of something else and we are in the middle of development . 

Hi Thomson, 

When there is a pull request event from the forked repo, I have tried to use my personal access token by storing it in the base repository’s secret and tried to make GitHub API calls using this secret, but then I am getting error Bad Credentials.   So, the pull request from forked repo event won’t have access to the base repo’s secrets ?.. 

And again, it will be great if there is a way to make authenticated GitHub calls by having read/write access to the base repo , If not, at least having access to the base repository secrets in order to use the personal access tokens. 

We can develop many useful actions If you can give optional read/write access to the base repo  when there is a PR from the forked repo or at least giving access to the base repo secrets. Because then it will be up to the project admin to give read/write access when there is a pull request from the forked repo. If the admin is not feeling secure, then he/she won’t use the action which will have read/write access from the forked repo. 

1 Like

More granular control over GITHUB_TOKEN or the personal access token would be appreciated. As an example, allowing issue comments in the  public_repo  scope can be acceptable in most cases.

1 Like

I found an option per-team and per-repository to run the workflow only if the code existing within the same repository.