-
Notifications
You must be signed in to change notification settings - Fork 154
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pass secrets to approved workflow jobs #258
Conversation
Hmm... |
Trouble with secret passing might be a limitation of the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ideally, we wan to run tests for PRs but this workaround looks good to me at this time
this reverts commit c713bb3 because this is useful
@seratch There are a few new changes so want to check that this looks good before merging. The tests aren't running on this PR, but I believe this is because Using |
runs-on: ubuntu-latest | ||
steps: | ||
- name: Check user permissions | ||
if: ${{ github.event_name == 'pull_request' && github.event.pull_request.author_association != 'MEMBER' }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The pull_request_target
still uses the event.pull_request
values from what I can tell: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zimeg Sorry for missing the additional changes here. All of them look good to me too. You can merge this PR tomorrow (or early next week).
@seratch No worries at all! Thank you for another review 🙌 |
Summary
This PR attempts to pass secrets to integration tests for PRs opened from a fork. Fixes #251.
PRs not opened by a
COLLABORATOR
will initially fail because secrets "are not passed to workflows that are triggered by a pull request from a fork" but checking out thehead.sha
on a re-run is an apparent workaround for this and workflows can be re-run by a maintainer!Notes
author_associations
includeMEMBER
which might work better for the check inaccess_check
. I think a re-run will pass this check in any case though 🤔Requirements