Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Copilot Lvl 3
Message 1 of 14

Secrets for PRs who are not collaborators

Solved! Go to Solution.

I want to be able to preview on Netlify the PRs that outside contributors propose.

 

As you can see from https://github.com/nwtgck/actions-netlify/issues/32#issuecomment-591800758

 

 

Spoiler
Secrets are not passed to workflows that are triggered by a pull request from a fork.

 

 

Is there some sane way to work around this?

13 Replies
Highlighted
GitHub Partner
Message 2 of 14

Re: Secrets for PRs who are not collaborators

@kaihendry ,

Yeah, as you have saw from the docs, secrets are not passed to the runner when a workflow is triggered from a forked repository. This is for security reasons, and currently we have no any workaround to bypass this limitation.

 

Of course, if your projects really need this feature, I recommend you directly report your feature request here. That will allow you to directly interact with the appropriate engineering team, and make it more convenient for the engineering team to collect and categorize your suggestions.

Highlighted
Copilot Lvl 3
Message 3 of 14

Re: Secrets for PRs who are not collaborators

How do I express that I build on PR but only if it is a collaborator to avoid the failure messages?

 

 on:
    pull_request:
      types: [opened, synchronize]

 

Is what I have in https://github.com/kaihendry/dabase.com/blob/ec94d0b8de9b12f04e1428e1f02ce0a1787dfbf0/.github/workfl...

 

Or perhaps can I bless a PR to built under my user? For the preview I want?

Highlighted
GitHub Partner
Message 4 of 14

Re: Secrets for PRs who are not collaborators

@kaihendry ,

I have a workaround, maybe you can reference:
1. In your original repository, create a branch bashed on the default/base branch, for example create Merge_Fork branch based on master branch.

2. In the forked repository, every time the collaborators commit some new changes, ask the collaborators create a PR to merge the new changes from the forked repository into the Merge_Fork branch of the original repository. Set this PR do not trigger the workflow (using branch filter).

3. In the original repository, create a PR to merge teh changes from Merge_Fork branch into master branch, set this PR trigger the workflow (using branch filter), in this situation the workflow can access secrets.

on:
  pull_request:
    types: [opened, synchronize]
    branches: 
      - master

 

Highlighted
GitHub Partner
Message 5 of 14

Re: Secrets for PRs who are not collaborators

@kaihendry ,

As I suggested in previous reply, create a feature branch in your original repository. At first merge changes from the forked repository into the feature branch of the original repository, and then create a PR to merge changes from the feature branch to the base branch to trigger the workflow run, this will allow the workflow to access the secrets in your original repository.

Have you tried this suggestion? Is it helpful to you? Any progress, please feel free to let me know.

Highlighted
Copilot Lvl 3
Message 6 of 14

Re: Secrets for PRs who are not collaborators

There is no automated way to do this right?

 

The whole point of using Github and this PR flow is to make things easier. If I have to run a bunch of commands then I feel the value of this flow is diminished.

Highlighted
Copilot Lvl 3
Message 7 of 14

Re: Secrets for PRs who are not collaborators

Although this is just an idea, that automcation may be created with GitHub Actions because GITHUB_TOKEN has write permission to original repo.

 

(I try to make this proof of concept.)

Highlighted
Copilot Lvl 3
Message 8 of 14

Re: Secrets for PRs who are not collaborators

I made a PoC GitHub Actions for merge preview.

Here is a successfull merge preview.

https://github.com/nwtgck/actions-merge-preview/runs/489448436?check_suite_focus=true

 

My expected usage is that owner comments "@some-bot merge preview",  then the actions is triggered by the comment in PR.

 

Highlighted
Copilot Lvl 3
Message 9 of 14

Re: Secrets for PRs who are not collaborators

Ah, this looks promising. But I am not sure how to view your workflow file.

 

operation-test just appears to do a check out?

Highlighted
Copilot Lvl 3
Message 10 of 14

Re: Secrets for PRs who are not collaborators

Thanks.

 

I made a demo video to tell how to use.

actions-merge-preview.gif


Here is an actual pull request from non-maintainers:
https://github.com/nwtgck/piping-chat-web/pull/194

 

Here is the workflow file:

https://github.com/nwtgck/piping-chat-web/blob/762cd1541d3a12eb94849d8017e435e5ddedf992/.github/work...