Integration tests fail for PRs from forks
chuckwondo opened this issue · 0 comments
Is this issue already tracked somewhere, or is this a new report?
- I've reviewed existing issues and couldn't find a duplicate for this problem.
Current Behavior
When a PR from a fork is opened or updated, the integration tests always fail. This is because they require github secrets, but when the integration tests are triggered via pull_request, these PRs from forks do not have permission to read the secrets in this repo (secrets of the same names from the fork are ignored, and thus have no impact).
This is a known issue, and there seems to be no definitive, completely secure means of dealing with this in a convenient manner, yet. However, there is an approach that seems to be a reasonable compromise, where the build checks the triggering user's permissions and simply fails the build (i.e., doesn't even attempt to run integration tests, in our case) for users without write permission to this repo.
The second step is then for a maintainer of this repo (someone with write permission, which encompasses the permission to read secrets) to manually scan the PR for potential security issues. For known/trusted contributors of PRs, this shouldn't be necessary (or should at least require minimal effort), but for unknown/new contributors, we would want to check for any malicious code that might attempt to steal secrets.
If the PR looks safe, the maintainer would re-run the failed build, which would then allow the build to read the required secrets, and allow the integration tests to run.
Expected Behavior
Integration tests should be able to run for PRs from forks, with appropriate security steps in place.
Steps To Reproduce
Submit a PR from a fork.
Environment
- OS: all
- Python: allAdditional Context
No response