JuliaFormatter GHA workflow fails on public forks due to insufficient permissions #2293
Comments
penelopeysm
changed the title
|
Now it works for PRs made from internal branches (see #2295), but fails for PRs from other people's forks (#2294 still failing). The GitHub docs suggest that we need to enable "Send write tokens to workflows from fork pull requests", and we can do that from organisation-level settings. However, having looked into this a bit, I think we don't actually want to enable this because it means that anybody who forks the repo can edit workflows and run their version of the workflow. To be very clear, I haven't enabled these settings, the checkboxes are just ticked so that I could screenshot it. 
There's also some discussion here on the same topic apache/arrow#38523. Not the end of the world as we can just tell contributors to format their code. As to how to go forward, it would probably be nice to error with a clearer message on public forks, but if we don't enable those perms I don't think there's much else we can do. |
|
This is a known limitation of action-suggester: JuliaDiff/ChainRulesCore.jl#489 In principle though (as far as I remember and as stated in the logs), it should fall back to the Github logging framework if permissions are insufficient (so they would still show up but not as comments and without being able to apply them as conviently)... Maybe that doesn't work with Generally, I think it would be good to limit permissions for forks even if this makes it less convenient for PRs from forks. |
See e.g. https://github.com/TuringLang/Turing.jl/actions/runs/9989440306/job/28060704792?pr=2290.
I'm fairly certain the answer is to add a permissions block to the job as described e.g. in the README https://github.com/reviewdog/action-suggester
The text was updated successfully, but these errors were encountered: