cnti-testcatalog/testsuite

[MAINTENANCE] Enable github actions to be (successfully) run for PRs created from forked repos

Closed this issue · 2 comments

martin-mat commented

Currently, github actions fail when run on a PR created from a forked repo.
This is extremely inconvenient and requires human manual work from maintainer team to test the PR manually.

Error: Cannot perform an interactive login from a non TTY device
Error: Process completed with exit code 1.

Example:
https://github.com/cnti-testcatalog/testsuite/actions/runs/9355430581/job/25750561406?pr=2056

svteb commented

From ChatGPT:

The error message Cannot perform an interactive login from a non TTY device is occurring because the docker login command is trying to run in a non-interactive shell, and it's failing due to the absence of the required environment variables that should be populated with secrets.

The solution would be to somehow implement the pull_request_target event. But there are possible problems with security, some described in this stackoverflow thread.

kosstennbl commented

Some analysis about secret usage in our workflows:
We have only 2 places in our actions where secrets are needed:

  1. GITHUB_TOKEN
  2. Docker login ENV

IMO GitHub token usage can be safely removed from actions as it is used for automatic creation of releases for each PR (which is redundant from my sight, we have 587 releases at the moment).

Docker login is a harder situation to solve, as i remember - we need it because of the large amounts of pulled images during testing.
I see two solutions there:

  1. Check and fix if possible that large amount of requests to DockerHub in our spec tests
  2. Pre-load all the required images to the runners before the start of the test (but it could lead to the same limitations)

About pull_request_target: Seems that it can help by running in "privileged mode" on the target branch for PR, but checking out code from the "change" branch of PR. Security measures need to be taken not to leak secrets through environment or other means. Also, it seems that we wouldn't be able to test changes to CI with this method (as it will always run CI from main), some additional tricks would be needed.
I could be missing or misunderstanding something, feel free to correct.