Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Run preview.yaml without secret key #38

Merged
merged 1 commit into from
Apr 18, 2024

Conversation

b10n1k
Copy link
Collaborator

@b10n1k b10n1k commented Apr 10, 2024

To avoid the use of secret variable in CI which breaks the pr-preview-action when it runs from forked repo, the preview.yaml is updated to use pull_request_target event instead of pull_request. Permissions are removed as the GITHUB_TOKEN is granted read/write repository permission by default for that event.

https://progress.opensuse.org/issues/158236

Copy link
Member

@okurz okurz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, did you try it out? Why draft? I would be ok to just merge to actually try it out if there is no better way to test

Copy link
Contributor

@perlpunk perlpunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

With this change this workflow will now be called from the main branch and only test the code from the main branch, so it's pointless this way.
The new code from the PR has to be checked out manually.

@b10n1k b10n1k force-pushed the workaround_forked_ci branch from 9655d25 to 9ba2775 Compare April 11, 2024 13:46
@b10n1k
Copy link
Collaborator Author

b10n1k commented Apr 11, 2024

The new code from the PR has to be checked out manually

i removed the branch, so it should run for every push.

@@ -3,7 +3,6 @@ name: Backlog Limits Checker Preview
# yamllint disable-line rule:truthy
on:
push:
branches: ['main']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to stay there. We only want to deploy for commits on the main branch.

@perlpunk
Copy link
Contributor

The new code from the PR has to be checked out manually

i removed the branch, so it should run for every push.

What I mean is: pull_request_target checks out the main branch. You cannot just convert pull_request to pull_request_target and everything works the same.
https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

This event runs in the context of the base of the pull request, rather than in the context of the merge commit, as the pull_request event does. This prevents execution of unsafe code from the head of the pull request that could alter your repository or steal any secrets you use in your workflow.

Since we decided that we want to run unsafe code from the PR explicitly, we need to check out that branch.

@b10n1k b10n1k force-pushed the workaround_forked_ci branch from 9ba2775 to 9035450 Compare April 12, 2024 08:38
@b10n1k b10n1k marked this pull request as ready for review April 12, 2024 08:40
@b10n1k
Copy link
Collaborator Author

b10n1k commented Apr 12, 2024

The new code from the PR has to be checked out manually

i removed the branch, so it should run for every push.

What I mean is: pull_request_target checks out the main branch. You cannot just convert pull_request to pull_request_target and everything works the same. https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

This event runs in the context of the base of the pull request, rather than in the context of the merge commit, as the pull_request event does. This prevents execution of unsafe code from the head of the pull request that could alter your repository or steal any secrets you use in your workflow.

Since we decided that we want to run unsafe code from the PR explicitly, we need to check out that branch.

I think i got it but i am struggled to understand some concepts with pull_request_target and what it takes to checkout the PR and run against it. @perlpunk please check again 883aa24

To avoid the use of secret variable in CI which breaks the pr-preview-action
when it runs from forked repo, the preview.yaml is updated to use
pull_request_target event instead of pull_request. Permissions are removed as
the GITHUB_TOKEN is granted read/write repository permission by default for
that event.

https://progress.opensuse.org/issues/158236

Signed-off-by: ybonatakis <[email protected]>
@b10n1k b10n1k force-pushed the workaround_forked_ci branch from 9035450 to 883aa24 Compare April 12, 2024 08:45
@b10n1k b10n1k requested a review from perlpunk April 12, 2024 08:47
Copy link
Member

@okurz okurz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a not-critical project so I would simply have that quickly merged and see what happens

@perlpunk perlpunk dismissed their stale review April 12, 2024 11:04

changes were made

@perlpunk perlpunk merged commit 38d6dfc into openSUSE:main Apr 18, 2024
1 check passed
@perlpunk
Copy link
Contributor

#40 is not doing what's expected.
Possibly because the action is actually doing a checkout itself: https://github.com/openSUSE/backlogger/blob/main/action.yaml#L32

@b10n1k b10n1k deleted the workaround_forked_ci branch April 22, 2024 07:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants