Secrets for PRs who are not collaborators

[kaihendry]

I want to be able to preview on Netlify the PRs that outside contributors propose.

As you can see from nwtgck/actions-netlify#32 (comment)

Secrets are not passed to workflows that are triggered by a pull request from a fork.

Is there some sane way to work around this?

[BrightRan]

@kaihendry ,

Yeah, as you have saw from the docs, secrets are not passed to the runner when a workflow is triggered from a forked repository. This is for security reasons, and currently we have no any workaround to bypass this limitation.

Of course, if your projects really need this feature, I recommend you directly report your feature request here. That will allow you to directly interact with the appropriate engineering team, and make it more convenient for the engineering team to collect and categorize your suggestions.

[kaihendry]

How do I express that I build on PR but only if it is a collaborator to avoid the failure messages?

on:
    pull_request:
      types: [opened, synchronize]

Is what I have in https://github.com/kaihendry/dabase.com/blob/ec94d0b8de9b12f04e1428e1f02ce0a1787dfbf0/.github/workflows/netlify.yml

Or perhaps can I bless a PR to built under my user? For the preview I want?

[BrightRan]

@kaihendry ,

I have a workaround, maybe you can reference:

1. In your original repository, create a branch bashed on the default/base branch, for example create Merge_Fork branch based on master branch.

2. In the forked repository, every time the collaborators commit some new changes, ask the collaborators create a PR to merge the new changes from the forked repository into the Merge_Fork branch of the original repository. Set this PR do not trigger the workflow (using branch filter).

3. In the original repository, create a PR to merge teh changes from Merge_Fork branch into master branch, set this PR trigger the workflow (using branch filter), in this situation the workflow can access secrets.

   on:
   pull_request:
   types: [opened, synchronize]
   branches:
   - master

[BrightRan]

@kaihendry ,

As I suggested in previous reply, create a feature branch in your original repository. At first merge changes from the forked repository into the feature branch of the original repository, and then create a PR to merge changes from the feature branch to the base branch to trigger the workflow run, this will allow the workflow to access the secrets in your original repository.

Have you tried this suggestion? Is it helpful to you? Any progress, please feel free to let me know.

[kaihendry]

There is no automated way to do this right?

The whole point of using Github and this PR flow is to make things easier. If I have to run a bunch of commands then I feel the value of this flow is diminished.

[nwtgck]

Although this is just an idea, that automcation may be created with GitHub Actions because GITHUB_TOKEN has write permission to original repo.

(I try to make this proof of concept.)

[nwtgck]

I made a PoC GitHub Actions for merge preview.

Here is a successfull merge preview.

https://github.com/nwtgck/actions-merge-preview/runs/489448436?check_suite_focus=true

My expected usage is that owner comments “@some-bot merge preview”,  then the actions is triggered by the comment in PR.

[kaihendry]

Ah, this looks promising. But I am not sure how to view your workflow file.

operation-test just appears to do a check out?

[nwtgck]

Thanks.

I made a demo video to tell how to use.

actions-merge-preview.gif700×394 1.12 MB

Here is an actual pull request from non-maintainers:
nwtgck/piping-chat-web#194

Here is the workflow file:

https://github.com/nwtgck/piping-chat-web/blob/762cd1541d3a12eb94849d8017e435e5ddedf992/.github/workflows/merge-preview.yml

[nwtgck]

I made another more general GitHub Actions than before. You will get preview-branch to run GitHub Actions with the secrets for forked repos.

You can execute arbitrary script on GitHub comment. Here is the code: https://github.com/nwtgck/actions-comment-run/tree/20297f070391450752be7ac1ebd454fb53f62795#pr-merge-preview.

[kaihendry]

Aha! I understand…  only owner can run it allowed-associations: '["OWNER"]'

kaihendry/dabase.com#7

Smart!

But I do lament copying in all that JS…

Couldn’t it be like a one click button to merge the PR into a local branch I wonder? Or some one-liner?

[nwtgck]

Thanks!

How about “Saved replies”? You can quickly use presaved comments.

[kaihendry]

Whoa, this makes Github actions next level in my opinion.

M$ should be sending you a cheque. 😉