/ok-to-test

Use GitHub Actions secrets in pull requests from forks 🍴🔑

MIT LicenseMIT

Ok To Test

Use GitHub Actions secrets in pull requests from forks 🍴🔑

About

GitHub Actions purposely limits the secrets available to pull requests from forks for security reasons:

Though this provides peace of mind, many projects depend on the fork pull request model. If you've configured a GitHub Actions test workflow to trigger on pull requests, and those tests require secrets, the secrets aren't available and the workflow fails.

No longer with this workaround, which shows an example Prow-like /ok-to-test sha=<head-sha> slash command configuration! 🥳

This project is not affiliated with GitHub.

Example

  1. A fork pull request is opened.
  2. A unit test workflow runs. Secrets are not available to this workflow.
  3. Someone with write access looks over the pull request code. ⚠️ Before proceeding, they should be sure the code isn't doing anything malicious like secret logging. ⚠️
  4. They comment /ok-to-test sha=<head-sha> on the pull request.
  5. A repository_dispatch API request is sent to this repository. See guidance below on how to authenticate.
  6. An integration test workflow runs, checking out the merge commit if the head sha hasn't changed since the comment was made. Secrets are available to this workflow! 💫
  7. The pull request status check is updated to reflect the success or failure of the integration test workflow.

Note that this sequence also works for branch based pull requests, as you'd expect!

Setup

  • Copy the .github/workflow files into your repo and customize for your use case
  • Add an authentication token as a secret
  • Optional: create and install a GitHub App on the repo(s) if you choose that authentication method

Authentication

Choose one of these authentication methods for the repository_dispatch helper action, peter-evans/slash-command-dispatch, in ok-to-test.yml:

GitHub Apps have distinct identities on GitHub – no seat taken up by a machine account, no potential for leaking your personal credentials, and no rate limit sharing!

Credits

Contributing

Pull requests are welcome!

License

MIT