Test action always fails when PR is created from a fork

[vinny-sabatini]

What happens?

When a pull request is created from a fork, the test action always fails

What were you expecting to happen?

I would expect that the jobs would be able to run successfully

Steps to reproduce:

• Create a PR from a fork
• Look at the logs from the "Authenticate to Google Cloud" step

Any errors, stacktrace, logs?

Here are the logs from the step:

Run google-github-actions/auth@v1
  with:
    workload_identity_provider: projects/8[2](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:2)1427[3](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:3)11[4](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:4)13/locations/global/workloadIdentityPools/prombq-adaptor/providers/github
    service_account: [email protected]
    create_credentials_file: true
    export_environment_variables: true
    cleanup_credentials: true
    access_token_lifetime: 3600s
    access_token_scopes: https://www.googleapis.com/auth/cloud-platform
    retries: 0
    id_token_include_email: false
  env:
    BQ_DATASET_NAME: github_actions_41866471[5](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:5)[8](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:8)_2
    MSYS: winsymlinks:nativestrict
Error: google-github-actions/auth failed with: retry function failed after 1 attempt: gitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL into this job. This most likely means the GitHub Actions workflow permissions are incorrect, or this job is being run from a fork. For more information, please see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Additional comments:

#203 is an example PR where this issue happened

[vinny-sabatini]

What I've found so far:

• Per this GitHub Blog pull_request events from a forked repo do NOT have access to secrets, and get a read-only token to protect public repositories from malicious users. The pull_request_target and workflow_run events have access to secrets and get a read/write token.
• This GitHub Article provides guidance for how these events can be used to securely run code that requires secrets and or read/write tokens (in our case we need read/write)

[vinny-sabatini]

I found a couple of other interesting things that could help:

• GitHub action that allows maintainers to mark a commit as "ok to test" - https://github.com/imjohnbo/ok-to-test
• Blog explaining how to implement this in GitHub Actions - https://michaelheap.com/access-secrets-from-forks/

Also, now that #348 has been merged upgrading the codecov-action to v4.0.0, and we can no longer do tokenless uploads to CodeCov, we will run into this same issue with that action.