Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copilot Lvl 2
Message 41 of 46

Re: Github Workflow not running from pull request from forked repository

Any update? Without PR checks, github actions are virtually useless in private repos.

Highlighted
Copilot Lvl 3
Message 42 of 46

Re: Github Workflow not running from pull request from forked repository

Hi @chrispat do you have any update on this issue?

 

This is very annoying to not be able to run the github workflow on pull_request from the original repository.

I would think when using something like "if: github.event.repository.owner.login == ... " this would only be triggered  by the repository owner.

 

The only workaround I can think right now is a `cron` like setup... run from the original repository, but this seems pretty nasty... and will consume a lot of cpu for nothing... 

 

Do you have a better alternate solution to suggest?

Highlighted
Pilot Lvl 1
Message 43 of 46

Re: Github Workflow not running from pull request from forked repository

I just want to add this suggestion, just read this blog:
https://dev.to/derberg/github-actions-when-fascination-turns-into-disappointment-4d75

 

This article seems to suggest that not trigger PR not created by an organization and do a manual CI trigger via comment `/ok-to-test.`

Interestingly, he mentioned the CODEOWNERS file. I think this is the answer. What if make it a required file for forked PRS. That way, we are assured that the only people who can edit the `CODEOWNERS` file, which is where the potential secret leak will come from, is listed.

If they are not listed, they can't edit the workflow folder and sniff out any secrets in the repo.

Highlighted
Copilot Lvl 3
Message 44 of 46

Re: Github Workflow not running from pull request from forked repository

thanks @thisguychris for the link, interesting to know it s bothering more than one person

but it seems like that part of the reason behind the current behavior is that you do not want a github workflow being altered by third parties... this seems a fair argument.. even if GitHub could provide a way to set to always run action from the master branch (for forks only)...

 

Here is the direction I'm going to use to workardound that limitation:

- pull requests will not trigger the regular workflow [for all users, better to keep a single/shared workflow than multiples]

- a pull request will trigger a request to an external api server

- the external server will use a PAT and do the following actions:

1. confirm that no changes occurs to the workflow for that pull request

2. add a comment to the PR using a custom /command to start the workflow

something like "/smoke-me" or other... 

 

For slash commands depending on your need you can check these two projects:

https://github.com/marketplace/actions/slash-commands
https://github.com/peter-evans/slash-command-dispatch

 

Hope this could help other persons :-)

Highlighted
Pilot Lvl 1
Message 45 of 46

Re: Github Workflow not running from pull request from forked repository


@atoomic wrote:

 

Here is the direction I'm going to use to workardound that limitation:

- pull requests will not trigger the regular workflow [for all users, better to keep a single/shared workflow than multiples]

- a pull request will trigger a request to an external api server


The problem though is that GitHub doesn't even trigger anything on PRs of private forks. How can you "trigger a request to an external API server". Or are you using going to use Github's webhooks?

Highlighted
Ground Controller Lvl 2
Message 46 of 46

Re: Github Workflow not running from pull request from forked repository

Same problem here when push to master :(