The "Contribution Checks" fails to create PR comment when the PR is created from a fork repository #685

tbouffard · 2024-03-26T09:20:34Z

ℹ️ Part of a top-level initiative: #670

The underlying action bonitasoft/actions/packages/pr-antora-content-guidelines-checker@v2 fails to write the PR comment. It uses the GH_TOKEN to create a PR comment but this token hasn't the permission to write PR comment (read-only permission when PR created from a fork).

See the problem on bonitasoft/bonita-cloud-doc#53, job https://github.com/bonitasoft/bonita-cloud-doc/actions/runs/8422019939/job/23065313474?pr=53

Logs

Run bonitasoft/actions/packages/pr-antora-content-guidelines-checker@v2
  with:
    attributes-to-check: :description:
    files-to-check: adoc
    forbidden-pattern-to-check: https://documentation.bonitasoft.com,link:https,link:http,link:,xref:https,xref:http,xref:_,xref:#,Bonita BPM
    github-token: ***
Input parameters:
❌ This following checks are failed: 
 * Attributes validation
 * Forbidden pattern validation
Error: Resource not accessible by integration

Possible alternatives to fix the problem

we may run the workflow on pull_request_target (a priori, no security issue, as there is no build involved here, only static check of the content of AsciiDoc files)
when running from a fork or when detecting that the GH_TOKEN has the write permission (how to do this? see pr-title-conventional-commits: create PR comment only if permissions are properly set actions#93), do not create a PR comment. Add logs and/or create a job summary (see also https://github.blog/2022-05-09-supercharging-github-actions-with-job-summaries/). This requires to update the implementation of the pr-antora-content-guidelines-checker action.

Notice that the later require to change the implementation of the action, while the former may only require to change the workflows calling the action.
The action could also create a summary and/or add logs even when it is not possible to create the PR comment.

Decision

After discussions with @benjaminParisel, we decided to run the pr-antora-content-guidelines-checker action in a workflow triggered by a pull_request_target.

There is no security issue here. The checks are done only on the updated file of the PR without doing tool installation, cache update or branch checkout. Only the GitHub API is used.
Using this event allows to create PR comment when the PR is created from a forked repository.

Resources: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

Tasks

Update the pr-antora-content-guidelines-checker action to fully support the pull_request_target event: feat: better support pull_request_target in "antora checker" action actions#129. It is included in a new release https://github.com/bonitasoft/actions/releases/tag/v3.1.0
Do testing on the bonita-labs-doc repository
Apply the changes to all content repositories

The text was updated successfully, but these errors were encountered:

…129) Ensure that the commit of the PR branch is used when the action is triggered by `pull_request_target` and not the commit of the base branch. Improve debug logs and remove duplication. ### Notes This should fix what is described in bonitasoft/bonita-labs-doc#153 (comment). This PR has been tested with bonitasoft/bonita-labs-doc#155 Covers bonitasoft/bonita-documentation-site#685

"contribution checks" The workflow now runs on `pull_request_target` events. There are no security issues here. Checks are made only on the updated PR file without doing any tool installation, cache update or branch check. Only the GitHub API is used. Using this event allows you to create a PR comment when the PR is created from a forked repository. "build preview" and "references validation" workflows. The content of the branch of the fork is now correctly used. Previously, the branch of the fork wasn't found by Antora, so the content of the generated site was empty. ### Notes Covers bonitasoft/bonita-documentation-site#402 Covers bonitasoft/bonita-documentation-site#685

tbouffard · 2024-04-19T10:06:50Z

All tasks are completed so closing.

tbouffard added the CI ⚙️ label Mar 26, 2024

tbouffard mentioned this issue Mar 26, 2024

Improve the management of contributions done from fork repositories #670

Closed

tbouffard changed the title ~~The "Contribution Checks" fails when the PR is created from a fork repository~~ The "Contribution Checks" fails to create PR comment when the PR is created from a fork repository Mar 26, 2024

tbouffard added the bug Something isn't working label Mar 27, 2024

tbouffard self-assigned this Apr 15, 2024

tbouffard closed this as completed Apr 19, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The "Contribution Checks" fails to create PR comment when the PR is created from a fork repository #685

The "Contribution Checks" fails to create PR comment when the PR is created from a fork repository #685

tbouffard commented Mar 26, 2024 •

edited

Loading

tbouffard commented Apr 19, 2024

The "Contribution Checks" fails to create PR comment when the PR is created from a fork repository #685

The "Contribution Checks" fails to create PR comment when the PR is created from a fork repository #685

Comments

tbouffard commented Mar 26, 2024 • edited Loading

Decision

Tasks

tbouffard commented Apr 19, 2024

tbouffard commented Mar 26, 2024 •

edited

Loading