-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The "Contribution Checks" fails to create PR comment when the PR is created from a fork repository #685
Closed
7 tasks done
Comments
tbouffard
changed the title
The "Contribution Checks" fails when the PR is created from a fork repository
The "Contribution Checks" fails to create PR comment when the PR is created from a fork repository
Mar 26, 2024
This was referenced Apr 16, 2024
Closed
benjaminParisel
pushed a commit
to bonitasoft/actions
that referenced
this issue
Apr 16, 2024
…129) Ensure that the commit of the PR branch is used when the action is triggered by `pull_request_target` and not the commit of the base branch. Improve debug logs and remove duplication. ### Notes This should fix what is described in bonitasoft/bonita-labs-doc#153 (comment). This PR has been tested with bonitasoft/bonita-labs-doc#155 Covers bonitasoft/bonita-documentation-site#685
This was referenced Apr 16, 2024
Merged
ci: make workflows better work for PR created from forked repo
bonitasoft/bonita-test-toolkit-doc#58
Merged
benjaminParisel
pushed a commit
to bonitasoft/bonita-continuous-delivery-doc
that referenced
this issue
Apr 18, 2024
"contribution checks" The workflow now runs on `pull_request_target` events. There are no security issues here. Checks are made only on the updated PR file without doing any tool installation, cache update or branch check. Only the GitHub API is used. Using this event allows you to create a PR comment when the PR is created from a forked repository. "build preview" and "references validation" workflows. The content of the branch of the fork is now correctly used. Previously, the branch of the fork wasn't found by Antora, so the content of the generated site was empty. ### Notes Covers bonitasoft/bonita-documentation-site#402 Covers bonitasoft/bonita-documentation-site#685
benjaminParisel
pushed a commit
to bonitasoft/bonita-central-doc
that referenced
this issue
Apr 18, 2024
"contribution checks" The workflow now runs on `pull_request_target` events. There are no security issues here. Checks are made only on the updated PR file without doing any tool installation, cache update or branch check. Only the GitHub API is used. Using this event allows you to create a PR comment when the PR is created from a forked repository. "build preview" and "references validation" workflows. The content of the branch of the fork is now correctly used. Previously, the branch of the fork wasn't found by Antora, so the content of the generated site was empty. ### Notes Covers bonitasoft/bonita-documentation-site#402 Covers bonitasoft/bonita-documentation-site#685
benjaminParisel
pushed a commit
to bonitasoft/bonita-cloud-doc
that referenced
this issue
Apr 18, 2024
"contribution checks" The workflow now runs on `pull_request_target` events. There are no security issues here. Checks are made only on the updated PR file without doing any tool installation, cache update or branch check. Only the GitHub API is used. Using this event allows you to create a PR comment when the PR is created from a forked repository. "build preview" and "references validation" workflows. The content of the branch of the fork is now correctly used. Previously, the branch of the fork wasn't found by Antora, so the content of the generated site was empty. ### Notes Covers bonitasoft/bonita-documentation-site#402 Covers bonitasoft/bonita-documentation-site#685
rbioteau
pushed a commit
to bonitasoft/bonita-test-toolkit-doc
that referenced
this issue
Apr 18, 2024
"contribution checks" The workflow now runs on `pull_request_target` events. There are no security issues here. Checks are made only on the updated PR file without doing any tool installation, cache update or branch check. Only the GitHub API is used. Using this event allows you to create a PR comment when the PR is created from a forked repository. "build preview" and "references validation" workflows. The content of the branch of the fork is now correctly used. Previously, the branch of the fork wasn't found by Antora, so the content of the generated site was empty. ### Notes Covers bonitasoft/bonita-documentation-site#402 Covers bonitasoft/bonita-documentation-site#685
All tasks are completed so closing. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
ℹ️ Part of a top-level initiative: #670
The underlying action
bonitasoft/actions/packages/pr-antora-content-guidelines-checker@v2
fails to write the PR comment. It uses the GH_TOKEN to create a PR comment but this token hasn't the permission to write PR comment (read-only permission when PR created from a fork).See the problem on bonitasoft/bonita-cloud-doc#53, job https://github.com/bonitasoft/bonita-cloud-doc/actions/runs/8422019939/job/23065313474?pr=53
Logs
Possible alternatives to fix the problem
pr-antora-content-guidelines-checker
action.Notice that the later require to change the implementation of the action, while the former may only require to change the workflows calling the action.
The action could also create a summary and/or add logs even when it is not possible to create the PR comment.
Decision
After discussions with @benjaminParisel, we decided to run the
pr-antora-content-guidelines-checker
action in a workflow triggered by apull_request_target
.There is no security issue here. The checks are done only on the updated file of the PR without doing tool installation, cache update or branch checkout. Only the GitHub API is used.
Using this event allows to create PR comment when the PR is created from a forked repository.
Resources: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
Tasks
pr-antora-content-guidelines-checker
action to fully support thepull_request_target
event: feat: better support pull_request_target in "antora checker" action actions#129. It is included in a new release https://github.com/bonitasoft/actions/releases/tag/v3.1.0pull_request_target
bonita-labs-doc#153The text was updated successfully, but these errors were encountered: