You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The E2E Tests do not correctly when running against a fork. These tests should run correctly on all PRs
The Docker image build fails as we depend on a secret being passed to the workflow (secrets.GITHUB_TOKEN) .
When a github workflow is triggered from a fork, the default behaviour is that no secrets are passed.
One possible solution to make this work, is to update the test.yml workflow to run on pull_request_target. This passes the secrets however if we do this we need to put additional safeguards in place to prevent abuse of the secrets.
We can add an additional clause that the e2e tests should only run when a specific label is present .e.g. safe-to-test. This ensures that someone with write access to the repo has reviewed the code and added the label on the fork PR.
Note: Ideally we make the bare minimum number of workflows use pull_request_target. This might mean splitting u existing workflows.
A better solution is to simply use a local docker image for forks. This means that no secrets need to be exposed, and no manual checking of the code before allowing the tests to run. The docker images are sandboxed to the github runner.
This has the downside of taking slightly longer for image build ( ~2mins ) however it is safer and easier to maintain.
For Admin Use
Not duplicate issue
Appropriate labels applied
Appropriate contributors tagged/assigned
The text was updated successfully, but these errors were encountered:
Summary of Bug
The E2E Tests do not correctly when running against a fork. These tests should run correctly on all PRs
The Docker image build fails as we depend on a secret being passed to the workflow (
secrets.GITHUB_TOKEN
) .When a github workflow is triggered from a fork, the default behaviour is that no secrets are passed.
One possible solution to make this work, is to update the test.yml workflow to run onpull_request_target
. This passes the secrets however if we do this we need to put additional safeguards in place to prevent abuse of the secrets.We can add an additional clause that the e2e tests should only run when a specific label is present .e.g.safe-to-test
. This ensures that someone with write access to the repo has reviewed the code and added the label on the fork PR.Note: Ideally we make the bare minimum number of workflows usepull_request_target
. This might mean splitting u existing workflows.A better solution is to simply use a local docker image for forks. This means that no secrets need to be exposed, and no manual checking of the code before allowing the tests to run. The docker images are sandboxed to the github runner.
This has the downside of taking slightly longer for image build ( ~2mins ) however it is safer and easier to maintain.
For Admin Use
The text was updated successfully, but these errors were encountered: