fix: preview-web can't be run on forks #84
Conversation
GitHub repo SECRETS are not exposed to forks, thus the preview-web step can't be run on pull requests from forks.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #84 +/- ##
=======================================
Coverage 39.54% 39.54%
=======================================
Files 103 103
Lines 12006 12006
Branches 645 645
=======================================
Hits 4748 4748
Misses 7251 7251
Partials 7 7 ☔ View full report in Codecov by Sentry. |
|
@pfeerick this makes sense, you could also try implement something like this https://michaelheap.com/access-secrets-from-forks/ |
|
Oh... thanks for that ... will look at that tomorrow :) |
From what I can see, it appears to be linked to the checkout, so may need to be done for both compile and storyboard steps as they are dependencies of preview-web.
|
Ok, either something has changed in github, or that method only works for checkout... so it looks like the only real way to do this is how github themselves recommended it... by using a split workflow... one being the "insecure", and the second the "secure" one. Thankfully the current structure of the CI build seems to be suited to being split right down the middle where it's needed, so it shouldn't be that hard to simply split it in two. https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ |
|
Ok, I'm done for today 🤕 Both stage 1 and stage 2 appear to be working as intended. stage 1 - test-and-compile - https://github.com/pfeerick/buddy/actions/runs/9591978099 stage 2 was expected to fail where it did as while I gave it a valid cloudflare API and re-ran just that failed step, I don't have a mirror of the buddy project setup, so it merely progressed further than the first run. stage 3 appears to have correctly skipped due to the failure of the prior stage. Now sort of wondering if I should split it down a bit further... i.e. five workflows ... test, compile, app, web, release ... or maybe rename... test, build, release? 🤔 |
GitHub repo SECRETS are not exposed to forks, thus the preview-web step can't be run on pull requests from forks.
It may be possible to use a different event trigger...
pull_request_target... in order to get around this, but this then also changes the context of the base of the pull request, from it being the merge commit, to that of the base of the pull request, and am not sure if this will have unexpected consequences, hence this more immediate quick fix.