Build fails for pull request from forked repo

Question

Build fails for pull request from forked repo

Closed this issue 3 years ago · 1 comments

For security reasons pull request that comes for forked repo can't access secrets on actions.

Disable steps and jobs that use secrets, like the integration tests for example, that need clockify credentials.

Answer 1 · 2021-10-11T12:58:16.000Z

If a maintainer wants to run those tests, he/she should do it manually with the following script that you can save as a saved reply.

@github-actions run

🚀 Merge preview

(async () => {
  // Get pull-req URL like "https://api.github.com/repos/nwtgck/actions-merge-preview/pulls/4"
  const pullReqUrl = context.payload.issue.pull_request.url;
  const githubUser = context.payload.repository.owner.login;
  const res = await fetch(pullReqUrl, {
    headers: [
      ['Authorization', `Basic ${Buffer.from(`${githubUser}:${githubToken}`).toString('base64')}`]
    ]
  });
  const resJson = await res.json();
  const prUserName = resJson.head.user.login;
  const baseBranchName = resJson.base.ref;
  const branchName = resJson.head.ref;
  const fullRepoName = resJson.head.repo.full_name;
  const previewBranchName = `actions-merge-preview/${prUserName}-${branchName}`;
  execSync(`git config --global user.email "github-actions[bot]@users.noreply.github.com"`);
  execSync(`git config --global user.name "github-actions[bot]"`);
  // (from: https://stackoverflow.com/a/23987039/2885946)
  execSync(`git fetch --all`);
  console.log(execSync(`git checkout ${baseBranchName}`).toString());
  console.log(execSync(`git checkout -b ${previewBranchName} ${baseBranchName}`).toString());
  console.log(execSync(`git pull https://github.com/${fullRepoName}.git ${branchName}`).toString());
  // Push preview branch
  // NOTE: Force push (should be safe because preview branch always start with "actions-merge-preview/")
  execSync(`git push -fu origin ${previewBranchName}`);
  const baseRepoFullName = context.payload.repository.full_name;
  // Create GitHub client
  const githubClient = new GitHub(githubToken);
  // Comment body
  const commentBody = `🚀 Preview branch:  \n<https://github.com/${baseRepoFullName}/tree/${previewBranchName}>`;
  // Comment the deploy URL
  await postComment(commentBody);
})();

Basically, it creates a new branch from that pr. Please enable Github action so that it runs all steps from the build and test job.

https://github.com/nwtgck/actions-comment-run