Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Community PRs require Action Secrets #98

Open
RobbieMcKinstry opened this issue Jul 8, 2022 · 0 comments
Open

Community PRs require Action Secrets #98

RobbieMcKinstry opened this issue Jul 8, 2022 · 0 comments
Labels
impact/reliability Something that feels unreliable or flaky kind/engineering Work that is not visible to an external user

Comments

@RobbieMcKinstry
Copy link
Contributor

What happened?

In #96 we discovered that GitHub Secrets are not passed to workflows when the PR is from a forked repo. See the blue box here.

This means that PRs from community members will always fail CI. Pulumi engineers will have to copy the PR and push it to a branch (or merge the PR from the forked repo to a branch other than main) to run CI tests.

This is less than ideal since it means community members won't have their PRs accepted since a new PR from a Pulumi employee is required to merge into main. It's also less than ideal because the process is not as streamlined as with our other repos.

Steps to reproduce

  1. Fork this repo.
  2. Modify the source code.
  3. Submit a PR.
  4. Observe that status checks fail.

Expected Behavior

  1. Status checks should pass on forked PRs if they pass on branch PRs.
  2. GitHub Secrets should not be used in workflows involving PRs. This is something of a security consideration (because we don't want PRs from community members to include a malicious script that dumps our secrets, then we bring the PR into the fold and execute it from a branch with Secret access), and something of a process smell. By requiring secrets, it usually means we're reliant on an external service or cloud provider for a CI test that should be more repeatable and not effectful.

Actual Behavior

  1. Status checks from forked PRs fail for this repo.

Versions used

No response

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@RobbieMcKinstry RobbieMcKinstry added impact/reliability Something that feels unreliable or flaky kind/bug Some behavior is incorrect or out of spec labels Jul 8, 2022
This was referenced Jul 11, 2022
Merged
Closed
@RobbieMcKinstry RobbieMcKinstry mentioned this issue Aug 15, 2022
Merged
@RobbieMcKinstry RobbieMcKinstry mentioned this issue Sep 16, 2022
Closed
@justinvp justinvp added kind/engineering Work that is not visible to an external user and removed kind/bug Some behavior is incorrect or out of spec labels Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
impact/reliability Something that feels unreliable or flaky kind/engineering Work that is not visible to an external user
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@justinvp @RobbieMcKinstry