Merge pull request #364 from panorama-ed/secret-push

Allow PRs from forks to access `CODECOV_TOKEN`
panorama-ed · Dec 16, 2024 · 5a86acc · 5a86acc
2 parents e446ec7 + 0f840cc
commit 5a86acc
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -6,6 +6,20 @@ on:
   push:
     branches:
     - main
+
+  # Though GitHub's documentation mostly says you only need this for reusable
+  # workflows (i.e. workflows that call other workflows), it seems that GitHub
+  # does not pass secrets to `pull_request` events that come from forks (which
+  # it seems Dependabot's PRs do?) unless they are explicitly passed through,
+  # because they do not want a forker's PR to be able to exfiltrate secret data
+  # from the forked repo. This behavior is not really documented with respect to
+  # Dependabot but some hints are here:
+  # - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow
+  # - https://github.com/pypa/gh-action-pypi-publish/discussions/49
+  workflow_call:
+    secrets:
+      CODECOV_TOKEN:
+        required: true
 jobs:
   ci:
     name: CI