Example workflow configuration showing how to use GitHub Actions secrets in pull requests from forks π΄π
Home Page: https://github.com/imjohnbo/ok-to-test
License: MIT License
@imjohnbo hello, we have applied your template in our repo, yet there is some functionality we want cannot be achieved. So we would like to hear some insights from you. So basically we would like to see the logs in the original workflow instead of the /ok-to-test command workflow for a forked-based pull request. For example, if you look here It says the check is skipped. Let's say the owner triggered the /ok-to-test workflow and it fails, here it will only display the check fails. The real logs are displayed in the newly triggered /ok-to-test workflow. So what we want is that right here in the original workflow we can see the error log, or at least can display an url pointing to the actual running workflow. Do you think this is achievable? Thanks
I am using the personal access token authentication method. However, I can't seem to get it to work. Here is my ok-to-test.yml. What lines should be commented out in order to make it work for the personal access token? Thanks.
Hi there,
Thanks a lot for creating this, this looks really nice and exactly what I need. I understand pretty much everything regarding the workflow part of things but I'm struggling to know what kind of parameters to put in when creating the github app even when following URL: https://docs.github.com/en/free-pro-team@latest/developers/apps/creating-a-github-app
Especially not sure what to put in the URL sections as well as what kind of permissions it will need.
Do you have more info on how to do this best?
Thanks for putting this together, it's really useful. I've been experiencing a couple of (what I imagine are) permission errors related to the GitHub App configuration. Are there some additional permissions that need to be granted beyond those stated below?
default_permissions:
contents: :write
metadata: :read
This script:
ok-to-test/.github/workflows/integration.yml
Lines 52 to 73 in 474c02c
Fails with this error for me:
2023-03-05T18:53:26.8384989Z RequestError [HttpError]: Resource not accessible by integration
2023-03-05T18:53:26.8387986Z at /home/runner/work/_actions/actions/github-script/v6/dist/index.js:6803:21
2023-03-05T18:53:26.8388365Z at processTicksAndRejections (node:internal/process/task_queues:96:5)
2023-03-05T18:53:26.8388932Z at async eval (eval at callAsyncFunction (/home/runner/work/_actions/actions/github-script/v6/dist/index.js:15099:16), <anonymous>:13:26)
2023-03-05T18:53:26.8389463Z at async main (/home/runner/work/_actions/actions/github-script/v6/dist/index.js:15198:20) {
2023-03-05T18:53:26.8389745Z status: 403,
2023-03-05T18:53:26.8389922Z response: {
2023-03-05T18:53:26.8390378Z url: 'https://api.github.com/repos/GoodhandSolutions/terraform-snowflake-playground/check-runs/11775549491',
2023-03-05T18:53:26.8391081Z status: 403,
2023-03-05T18:53:26.8391282Z headers: {
2023-03-05T18:53:26.8391572Z 'access-control-allow-origin': '*',
2023-03-05T18:53:26.8392544Z 'access-control-expose-headers': 'ETag, Link, Location, Retry-After, X-GitHub-OTP, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Used, X-RateLimit-Resource, X-RateLimit-Reset, X-OAuth-Scopes, X-Accepted-OAuth-Scopes, X-Poll-Interval, X-GitHub-Media-Type, X-GitHub-SSO, X-GitHub-Request-Id, Deprecation, Sunset',
2023-03-05T18:53:26.8393279Z connection: 'close',
2023-03-05T18:53:26.8393538Z 'content-encoding': 'gzip',
2023-03-05T18:53:26.8393865Z 'content-security-policy': "default-src 'none'",
2023-03-05T18:53:26.8394227Z 'content-type': 'application/json; charset=utf-8',
2023-03-05T18:53:26.8394548Z date: 'Sun, 05 Mar 2023 18:53:26 GMT',
2023-03-05T18:53:26.8394962Z 'referrer-policy': 'origin-when-cross-origin, strict-origin-when-cross-origin',
2023-03-05T18:53:26.8395324Z server: 'GitHub.com',
2023-03-05T18:53:26.8395714Z 'strict-transport-security': 'max-age=31536000; includeSubdomains; preload',
2023-03-05T18:53:26.8396063Z 'transfer-encoding': 'chunked',
2023-03-05T18:53:26.8396408Z vary: 'Accept-Encoding, Accept, X-Requested-With',
2023-03-05T18:53:26.8396746Z 'x-content-type-options': 'nosniff',
2023-03-05T18:53:26.8397024Z 'x-frame-options': 'deny',
2023-03-05T18:53:26.8397350Z 'x-github-api-version-selected': '2022-11-28',
2023-03-05T18:53:26.8397678Z 'x-github-media-type': 'github.v3',
2023-03-05T18:53:26.8398039Z 'x-github-request-id': '86C4:60B2:2DCE608:5F0BA85:6404E526',
2023-03-05T18:53:26.8398348Z 'x-ratelimit-limit': '1000',
2023-03-05T18:53:26.8398628Z 'x-ratelimit-remaining': '980',
2023-03-05T18:53:26.8398911Z 'x-ratelimit-reset': '1678044246',
2023-03-05T18:53:26.8399189Z 'x-ratelimit-resource': 'core',
2023-03-05T18:53:26.8399470Z 'x-ratelimit-used': '20',
2023-03-05T18:53:26.8400037Z 'x-xss-protection': '0'
2023-03-05T18:53:26.8400235Z },
2023-03-05T18:53:26.8400407Z data: {
2023-03-05T18:53:26.8400810Z message: 'Resource not accessible by integration',
2023-03-05T18:53:26.8403050Z documentation_url: 'https://docs.github.com/rest/reference/checks#update-a-check-run'
2023-03-05T18:53:26.8403371Z }
2023-03-05T18:53:26.8403527Z },
2023-03-05T18:53:26.8403684Z request: {
2023-03-05T18:53:26.8403938Z method: 'PATCH',
2023-03-05T18:53:26.8404396Z url: 'https://api.github.com/repos/GoodhandSolutions/terraform-snowflake-playground/check-runs/11775549491',
2023-03-05T18:53:26.8404722Z headers: {
2023-03-05T18:53:26.8405028Z accept: 'application/vnd.github.-preview+json',
2023-03-05T18:53:26.8405475Z 'user-agent': 'actions/github-script octokit-core.js/3.6.0 Node.js/16.16.0 (linux; x64)',
2023-03-05T18:53:26.8405836Z authorization: 'token [REDACTED]',
2023-03-05T18:53:26.8406169Z 'content-type': 'application/json; charset=utf-8'
2023-03-05T18:53:26.8406411Z },
2023-03-05T18:53:26.8406688Z body: '{"status":"completed","conclusion":"success"}',
2023-03-05T18:53:26.8407009Z request: { agent: [Agent], hook: [Function: bound bound register] }
2023-03-05T18:53:26.8407248Z }
2023-03-05T18:53:26.8407404Z }
2023-03-05T18:53:26.8437830Z ##[error]Unhandled error: HttpError: Resource not accessible by integration
Similarly the dispatching action, raises warnings for: Failed to set reaction on comment ID 1455172514.
Are these just user errors on my part or is it something else?
PS. I think the action versions need to be updated to prevent warnings being raised about the Node version. I can raise a PR for that.
Came across your solution in trying to find a way to share secrets in a safe way to fork contributors (for CI purposes). Would you mind sharing some example how I could incorporate this into an existing GitHub Actions CI workflow? Still relatively new to actions but solutions for secret access are few and far between. This looks promising!
Hey! Can you help me debug what is happening with the actions/github-script@v5 step on my CI?
https://github.com/external-secrets/external-secrets/runs/4166526723?check_suite_focus=true
We are basically following the same pattern suggested here in this repo. But out of nowhere this started to break. I just tried changing await github.pulls.get to await github.pull_requests.get but of course it wasn't it π
How did you figure out what to include in this script?
The sha should be referenced sooner that this so that this scenario doesn't happen:
T: admin comments /ok-to-testT + 1: malicious code introduced into PR branchT + 2: PR branch checked outSolution 1: accept sha argument like /ok-to-test 827asa
Solution 2: shorten time window by calculating the merge commit in ok-to-test.yml instead of integration.yml
I want to use the OAuth App method to authenticate, but how do you create the token in the first place? I see that you're intending to use secrets in the Slash Command Dispatch, but how does the token get created and put into Github secrets?
My interpretation was for this code:
- name: Slash Command Dispatch
uses: peter-evans/slash-command-dispatch@v1
env:
TOKEN: ${{ steps.generate_token.outputs.token }}
with:
token: ${{ env.TOKEN }} # GitHub App installation access token
# token: ${{ secrets.PERSONAL_ACCESS_TOKEN }} # PAT or OAuth token will also work
reaction-token: ${{ secrets.GITHUB_TOKEN }}
issue-type: pull-request
commands: ok-to-test
named-args: true
permission: write
to become
- name: Slash Command Dispatch
uses: peter-evans/slash-command-dispatch@v1
with:
token: ${{ secrets.OAUTH-TOKEN}} # PAT or OAuth token will also work
reaction-token: ${{ secrets.GITHUB_TOKEN }}
issue-type: pull-request
commands: ok-to-test
named-args: true
permission: write
but that implies that there is a OAUTH-TOKEN in Github secrets. I know that the PAT is easy to create and put into secrets, but when creating an OAuth App in the UI, there's no where suggesting how to create a token. I'm reading steps #2 and #3 from these docs, but there's nothing about putting that token into Github secrets... Any guidance would help! I see that the flow using the Github app installation is well-documented, but using the Oauth token doesn't have an example, one would be appreciated!
Hi @imjohnbo - love this template, thanks for contributing it to the community!
I'm attempting to integrate the ok-to-test command in my public GitHub Action. I have the action dispatching properly, but as you can see on this PR, the dispatched actions don't show up under the PR checks. Is there some way to associate so I can make these required checks?
Why invoke a repo dispatch event? Canβt we instead open a check run from the issue_comment event directly? Would something like this work:
If owner OR comment = β/ok-to-testβ
...tests?
Thanks just learning Iβm obviously missing something
Specifically, here:
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
in the template for a trusted action - wouldn't this be true if the forked repository's PR last commit was a merge from the upstream repository into the forked repo?
Hi! I'm having trouble understanding how to get forked PRs to checkout the code of the head SHA of the PR because when I use your example code of:
ref: 'refs/pull/${{ github.event.client_payload.pull_request.number }}/merge'
The Integration Tests come back as having succeeded, but the individual tests say they are still pending. In the Github Actions UI, it says that the tests for the forked branches are skipped even though all the criteria pass. Here is my integration file for my open source repo: https://github.com/chanzuckerberg/terraform-provider-snowflake/blob/main/.github/workflows/integration.yml. I took out the above line because it didn't seem to be running the most recent commit on my PR. Any advice?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google β€οΈ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.