Workflows with pull_request trigger never get triggered for PRs from forks

Hi,

When PRs get opened on our private repo from forks, then workflows with ‘pull_request’ trigger are not triggered.

This behavior is reproducible only on private repos.

We did some digging around:

1. Created a clean private repo https://github.com/elementor/tests-github-actions/pulls (now it’s public).

  1. Added a blank workflow with pull_request as a trigger.

  2. Edited README.md on a branch and created a PR to master. :heavy_check_mark: The workflow ran.

  3. Forked the repo into my account https://github.com/danielkatz/tests-github-actions (private).

  4. On my fork, edited README.md on a master and created a second PR to the original repo. :x: The workflow didn’t run.

  5. We made the original repo public.

  6. Again on the original repo, we edited README.md on a branch and created a third PR to master. :heavy_check_mark: The workflow ran.

  7. Again, forked the repo into my account https://github.com/danielkatz/tests-github-actions-1 (public).

9. On my fork, edited README.md on a master and created a forth PR to the original repo. ✔ The workflow ran.

I am aware of the issues around a malicious PR mitigation, but if this is the root cause of the observed behavior, why the workflow did trigger on a public repo? And more, the PRs to the private repo were made by users with permissions for that repo, thus should be considered as trusted.

Really appreciate help on this issue.

Hi,

Many thanks for your feedback!  

This is by designed. If your base repository is private, workflow will not run when you open a pull request from forked repository. It’s mentioned here, please kindly check.

Here is same ticket about this, please check more details. Hope it helps.

1 Like

Thanks, I suspected this much…

Did you see the end of my post, I’m proposing to remove this restriction in case of a PR from a user that has privileges on the base repository. Since he should be considered a trusted user, and besides, if he would like to do something malicious, he could do it directly on the base repository.

Where can I file this suggestion as a feature request?

Hi @danielkatz ,

This has been submitted as a feature request already :slight_smile:

From github :

We have work going on to enable that scneario but the changes where deeper than just the actions token for a number of reasons.  I expect we will ship that before the end of the year.

2 Likes

I know it was submitted and I’m one those people trying to wait/push this. My 2 cents, it’s currently working on a public repo, the more reason it should work on a private repo. In a private repo setting, you are explicitly giving the user permission to your repository so chances of bad actors are smaller than in public repo settings. I don’t want to downplay the amount of work or deeper changes this one require but why would it take a much significant time if it’s already enabled on a public repo? The only difference between a public repo and a private repo is the visibility, what am I missing? :thinking:

Sorry the stupid question but what year do you mean? It feels like github doesn’t consider this problem important. I think a lot of paying customers are waiting for this feature.