Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prettier diff as comment on PRs #2115

Closed
george-gca opened this issue Jan 22, 2024 · 4 comments
Closed

Prettier diff as comment on PRs #2115

george-gca opened this issue Jan 22, 2024 · 4 comments
Assignees
@alshedivat
Labels
bug wontfix

Comments

@george-gca
Copy link
Collaborator

After a lot of fight, I believe I got to the point that this is almost solved. The thing is, it is needed to be created a token with write access to PRs for this to be possible. The action that I am using to do the comments currently doesn't have the needed permissions.

I already splitted the action into two, the one that does the checking and the one that comments on the PR, so the only action with actual write access would be the one that does the comment, as it is suggested for security reasons by GitHub itself. But only you @alshedivat have the right access.

You can check how the comment will appear in my repo.
@george-gca george-gca added the bug label Jan 22, 2024
@alshedivat
Copy link
Owner

I was just looking at the permissions section of actions-comment-pull-request, noticed the following:

Note that, if the PR comes from a fork, it will have only read permission despite the permissions given in the action for the pull_request event. In this case, you may use the pull_request_target event. With this event, permissions can be given without issue (the difference is that it will execute the action from the target branch and not from the origin PR).

in other words, if anyone besides me opens a PR, the action won't not have the write permission and will fail. most of the contributions are coming from forks, so this is suboptimal. do you know if there's a workaround?

@george-gca
Copy link
Collaborator Author

I thought that the solution would be creating a token with permission to write PRs and pass it to actions-comment-pull-request, but now I don't think it solves it.

In their repo they recommend using pull_request_target as a way of bypassing this limitation. However GitHub itself doesn't recommend this as it could open holes for security breaches. At least they don't recommend building and writing to PR in the same action with pull_request_target. That's why I splitted it into 2. But the thing is, I don't know how to make the second one only run if the prettier check fails AND pull_request_target triggers, so that we could have the permissions needed without doing build on this workflow.

@george-gca
Copy link
Collaborator Author

Just opened a question on stackoverflow. Let's see if a solution comes up.

@stale Stale
Copy link

stale bot commented Apr 18, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix label Apr 18, 2024
@stale stale bot closed this as completed May 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@alshedivat alshedivat

Labels
bug wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alshedivat @george-gca