Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Copilot Lvl 3
Message 1 of 3

how to use $GITHUB_TOKEN for PRs from forks

It seems (for very valid security reasons) that secrets aren't available to actions triggered by PRs from a fork.

 

In our project we have a number of workflows that require this token though, for instance we:

 

  1. run a performance analysis and post a comment with the results on the PR
  2. run an asset size analysis and post a comment with the results on the PR
  3. In both cases we fetch the list of existing comments for the PR
  4. In both cases we delete any existing analysis comments left for prior commits from the PR.

 

For both of these we require use of $GITHUB_TOKEN however the token made available appears to have more limited permissions that limit our ability to interact with the github API, and we receive this response:

 

{
  "message": "Resource not accessible by integration",
  "documentation_url": "https://developer.github.com/v3/issues/comments/#create-a-comment"
}
 
Is there a recommended pattern for actions that should run on PRs that need these forms of permission?
2 Replies
GitHub Partner
Message 2 of 3

Re: how to use $GITHUB_TOKEN for PRs from forks

This is an expected behavior as designed. Secrets are not passed to the runner when a workflow is triggered from a forked repository, you can refer to this link for details: Using encrypted secrets in a workflow. And for GitHub_Token,  the permission is limited to Read Only when the workflow is triggered from a forked repository: Permissions for the GITHUB_TOKEN. That means there isn't any way to configure the actions to do this for now.

 

 

 

 

Pilot Lvl 1
Message 3 of 3

Re: how to use $GITHUB_TOKEN for PRs from forks

Many action developers are facing this issue and this topic  is been discussed in multiple occasions  before.

What I heard from GitHub team is that, they are working on this issue with a security model in place. So hopefully, I believe this issue will be addressed soon.