You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a pull request is created from a fork, the test action always fails
What were you expecting to happen?
I would expect that the jobs would be able to run successfully
Steps to reproduce:
Create a PR from a fork
Look at the logs from the "Authenticate to Google Cloud" step
Any errors, stacktrace, logs?
Here are the logs from the step:
Run google-github-actions/auth@v1
with:
workload_identity_provider: projects/8[2](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:2)1427[3](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:3)11[4](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:4)13/locations/global/workloadIdentityPools/prombq-adaptor/providers/github
service_account: [email protected]
create_credentials_file: true
export_environment_variables: true
cleanup_credentials: true
access_token_lifetime: 3600s
access_token_scopes: https://www.googleapis.com/auth/cloud-platform
retries: 0
id_token_include_email: false
env:
BQ_DATASET_NAME: github_actions_41866471[5](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:5)[8](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:8)_2
MSYS: winsymlinks:nativestrict
Error: google-github-actions/auth failed with: retry function failed after 1 attempt: gitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL into this job. This most likely means the GitHub Actions workflow permissions are incorrect, or this job is being run from a fork. For more information, please see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
Per this GitHub Blogpull_request events from a forked repo do NOT have access to secrets, and get a read-only token to protect public repositories from malicious users. The pull_request_target and workflow_run events have access to secrets and get a read/write token.
This GitHub Article provides guidance for how these events can be used to securely run code that requires secrets and or read/write tokens (in our case we need read/write)
Also, now that #348 has been merged upgrading the codecov-action to v4.0.0, and we can no longer do tokenless uploads to CodeCov, we will run into this same issue with that action.
What happens?
When a pull request is created from a fork, the test action always fails
What were you expecting to happen?
I would expect that the jobs would be able to run successfully
Steps to reproduce:
Any errors, stacktrace, logs?
Here are the logs from the step:
Additional comments:
#203 is an example PR where this issue happened
The text was updated successfully, but these errors were encountered: