Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test action always fails when PR is created from a fork #204

Open
vinny-sabatini opened this issue Feb 15, 2023 · 2 comments
Open

Test action always fails when PR is created from a fork #204

vinny-sabatini opened this issue Feb 15, 2023 · 2 comments

Comments

@vinny-sabatini
Copy link
Member

What happens?

When a pull request is created from a fork, the test action always fails

What were you expecting to happen?

I would expect that the jobs would be able to run successfully

Steps to reproduce:

  • Create a PR from a fork
  • Look at the logs from the "Authenticate to Google Cloud" step

Any errors, stacktrace, logs?

Here are the logs from the step:

Run google-github-actions/auth@v1
  with:
    workload_identity_provider: projects/8[2](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:2)1427[3](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:3)11[4](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:4)13/locations/global/workloadIdentityPools/prombq-adaptor/providers/github
    service_account: [email protected]
    create_credentials_file: true
    export_environment_variables: true
    cleanup_credentials: true
    access_token_lifetime: 3600s
    access_token_scopes: https://www.googleapis.com/auth/cloud-platform
    retries: 0
    id_token_include_email: false
  env:
    BQ_DATASET_NAME: github_actions_41866471[5](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:5)[8](https://github.com/KohlsTechnology/prometheus_bigquery_remote_storage_adapter/actions/runs/4186647158/jobs/7259676118#step:8:8)_2
    MSYS: winsymlinks:nativestrict
Error: google-github-actions/auth failed with: retry function failed after 1 attempt: gitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL into this job. This most likely means the GitHub Actions workflow permissions are incorrect, or this job is being run from a fork. For more information, please see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Additional comments:

#203 is an example PR where this issue happened

@vinny-sabatini
Copy link
Member Author

What I've found so far:

  • Per this GitHub Blog pull_request events from a forked repo do NOT have access to secrets, and get a read-only token to protect public repositories from malicious users. The pull_request_target and workflow_run events have access to secrets and get a read/write token.
  • This GitHub Article provides guidance for how these events can be used to securely run code that requires secrets and or read/write tokens (in our case we need read/write)

@vinny-sabatini
Copy link
Member Author

vinny-sabatini commented Apr 5, 2024

I found a couple of other interesting things that could help:

Also, now that #348 has been merged upgrading the codecov-action to v4.0.0, and we can no longer do tokenless uploads to CodeCov, we will run into this same issue with that action.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

1 participant