⚠️ Not working with forks

[samuelmeuli]

Creating annotations and auto-fixes works as expected when the code is on a branch in the same repository.

Unfortunately, it currently doesn't seem work with pull requests from forks: The action has no permission to push auto-fix changes or create annotations.

[samuelmeuli]

It seems like this is impossible with GitHub's current token scopes.

The action needs permissions for two operations:

• Permission to create annotations with GitHub's Check Runs API to display the user's linting errors
• Permission to push changes with Git (if auto_fix: true)

If the action is triggered on changes to the main repository, it will work because the GITHUB_TOKEN has permissions to modify that repository. On forks, however, this becomes tricky to impossible:

	push event	pull_request event
commit to main repo	[Expected behavior] Annotations and auto-fixing work	[Expected behavior] Annotations and auto-fixing work
commit to fork	[Expected behavior] User needs to manually activate GitHub Actions on the fork. Even then, annotations will not display on PRs from that fork.	[Unexpected behavior] No permission to push auto-fix changes to the fork. No permission to create annotations.

Note that the pull_request event always runs on the main repository, even for pushes to the fork. The token scopes are defined accordingly.

If anybody is aware of a workaround, I'd be very happy to hear it :)

Related: actions/checkout#124 (comment)

[samuelmeuli]

All I can do for now is document these limitations in the README and provide more helpful error messages.

If you'd also like to see these permissions changed, please submit feedback to GitHub.

[MarvinT]

Would it be possible to catch the 403 error when the PR is coming from a fork so it doesn't mark the action as having failed?

[ocean90]

GitHub introduced a new pull_request_target event which might help here, see https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/#improvements-for-public-repository-forks

[1212gmartinez]

@samuelmeuli Thanks for making this easy to use library!

Have you had any chance to consider supporting github's pull_request_target.
It would be great to have the fork support available.

[ocean90]

@1212gmartinez There's a WIP feature branch for this which you can try: https://github.com/wearerequired/lint-action/tree/feature/pull_request_target

You should be able to use it with wearerequired/lint-action@feature/pull_request_target.

[1212gmartinez]

Awesome, thanks!

[github-actions]

A stale label has been added to this issue because it has been open 15 days with no activity. To keep this issue open, add a comment within 5 days.

[thatkookooguy]

Hey! Was this solved? I see that the pull_request_target branch has been merge and pull_request_target is being referenced in code.

But still when I try to use pull_request_target with this aciton and a fork opens a PR, I get the 404 error.

see this dependabot PR for example

will it work if I change github_token: ${{ secrets.BOT_TOKEN }}to github_token: ${{ secrets.GITHUB_TOKEN }}? is that related to the different things you can do on a fork compared to repo PRs?

[ocean90]

@thatkookooguy Pull requests by Dependabot don't have access to secrets anymore, see dependabot/dependabot-core#3253 (comment).
You should be able to use the the default GITHUB_TOKEN secret in combination with pull_request_target. Consider also limiting the default permissions. For a working example see test-action.yml.

[jnm2]

Please consider using workflow commands (stdout) so that tokens are not needed and pull_request_target is not needed, as mentioned above (#13 (comment)).

[thatkookooguy]

@ocean90 thanks for the tip! will definitely check it out.

[jnm2]

@ocean90 I'm confused. Why did you downvote?

[moodysalem]

Please consider using workflow commands (stdout) so that tokens are not needed and pull_request_target is not needed, as mentioned above (#13 (comment)).

This particular change seems like it should not be blocked, but won't help with auto_fix: true

@samuelmeuli Will you take a PR? Seems like this piece of code needs changing:

lint-action/src/github/api.js

Line 21 in a25b25a

async function createCheck(linterName, sha, context, lintResult, neutralCheckOnWarning, summary) {