Description
When contributors fork the repo and open a PR, Github Actions workflows fail:
The workflow fails to authenticate to GCP:
The error message is:
Error: google-github-actions/auth failed with: retry function failed after 4 attempts: gitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL into this job. This most likely means the GitHub Actions workflow permissions are incorrect, or this job is being run from a fork. For more information, please see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
The problem is that the workflow attempts to authenticate to GCP through OIDC. This requires the id-token: write permission. We set this permission correctly in the workflow configuration file, and workflows work as expected for PRs that are not from forks.
However Github enforces a "Maximum access for pull requests from public forked repositories" of id-token: read, as detailed in this documentation.
Currently a maintainer must pull the source branch from the fork and manually run the end-to-end tests in order to know if the proposed changes break anything.
Ideally we want approved PRs to run end-to-end tests so that contributors can get quick feedback on their contribution.