Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Copilot Lvl 3
Message 1 of 5

Token permissions for forks (once again)

I want to raise an issue about the GITHUB_TOKEN permissions for forked repositories again; it was discussed already here and here, but we at @actions-rs are having problems with it right now and there is still no reasonable solution exist.

I understand why forked repos has the read-only permissions, but it is effectively blocks any linters, checkers and audit tools to be implemented as a Github Actions; for example, it's disallowed to post any data to the Checks API, therefore, it is impossible to create a linter which will validate pull requests from the forked repositories.

 

Considering how suitable Github Actions are for this kind of stuff, it would be nice to address this problem somehow (by executing Action from the base repository, maybe?).

4 Replies
Copilot Lvl 3
Message 2 of 5

Re: Token permissions for forks (once again)

Hello,

 

Even I have raised the same issue before here, and I haven't got any response yet.

Like @svartalf mentioned, Since GITHUB_TOKEN has only  read-only access for the forked repo, it is effectively BLOCKING to use any PR Labellers, Linters, unit tests, Audit tools as a GitHub Action.

Even the native GitHub Action Labeller fails and doesn't work  for the forked repos and is been discussed here. The coveralls GitHub Action  also doesn't post a PR comment for the PR from the forked  repositories. Hence now, with this restriction,  it is impossible to develop a action like labeller which can validate the Pull Requests coming from the forked repositories.. 

 

The same issue is been put up in multiple occasions by different awesome developers in this forum and here is the list: 

  1. https://github.community/t5/GitHub-Actions/Make-secrets-available-to-builds-of-forks/m-p/33885/highl...
  2. https://github.community/t5/GitHub-Actions/optional-read-write-permission-for-forked-repos/m-p/32495...
  3. https://github.community/t5/GitHub-Actions/Github-Workflow-not-running-from-pull-request-from-forked...
  4. https://github.community/t5/GitHub-Actions/Github-Workflow-not-running-from-pull-request-from-forked...

 

 Please kindly take it as HIGH PRIORITY  as it is BLOCKING to use any  audit tools  actions like Labeller, Linters, code coverage actions  for the forked repos and also BLOCKING the developers to develop any of these kind of  actions . The  GITHUB_TOKEN should at least have  read/write access  for the Pull_Request_comment as this is not critical and won't have any  write access to the content of the base repository.  Since, most of the contributions for the open-source project comes from the forked repo, it would be really nice to address this issue somehow.

 

 

Ground Controller Lvl 1
Message 3 of 5

Re: Token permissions for forks (once again)

Hi Vandana.

 

I think that is a very good point.

 

We are also facing the same problem in all our open-source projects as  we are unable to use any of the auditing actions like  Labeller or code coverage and unit testing actions because of the restrictions imposed on  the actions for the PR coming from the forked repo.

 

This is  a  PRIMARY use case and it is stopping us to switch to using these actions for automating the workflow.

 

If at least the Labeller would be authorized for the PR coming from the forked Repository this would already help to cover some of our use cases.

 

Kind regards 

Michael

Copilot Lvl 3
Message 4 of 5

Re: Token permissions for forks (once again)

Hi Micheal,

Thank you for the support of this feature request. I am glad others are also facing the same issue.  It would be really nice to get a clarification from the GitHub side. 

Pilot Lvl 1
Message 5 of 5

Re: Token permissions for forks (once again)

This is exactly the same issue which we are facing too. All the Pull Request Verification actions like  Labeller , coveralls need at best the read/write access for the Pull_Request_Comment. We currently stalled the development of our  PR workflow automation action due to this constraint for the Pull Request coming from the forks and this is the only Use-Case for us.