Skip to content

Commit 04764bc

Browse files
millotpmillotp
committed
chore(ci): allow fork to access secrets
1 parent 4b89d5d commit 04764bc

File tree

1 file changed

+15
-9
lines changed

1 file changed

+15
-9
lines changed

.github/workflows/check.yml

Lines changed: 15 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -21,11 +21,13 @@ jobs:
2121
notification:
2222
runs-on: ubuntu-22.04
2323
timeout-minutes: 1
24-
if: ${{ !github.event.pull_request.head.repo.fork && github.event.number }}
24+
if: ${{ github.event.number }}
2525
permissions:
2626
pull-requests: write
2727
steps:
2828
- uses: actions/checkout@v4
29+
with:
30+
ref: ${{ github.event.pull_request.head.sha }} # WARNING: this gives fork PR access to the github secrets
2931

3032
- uses: marocchino/sticky-pull-request-comment@v2
3133
with:
@@ -192,6 +194,8 @@ jobs:
192194
name: client javascript${{ needs.setup.outputs.RUN_GEN_JAVASCRIPT == 'true' && format('@{0}', fromJSON(needs.setup.outputs.JAVASCRIPT_DATA).version) || '' }}
193195
steps:
194196
- uses: actions/checkout@v4
197+
with:
198+
ref: ${{ github.event.pull_request.head.sha }} # WARNING: this gives fork PR access to the github secrets
195199

196200
- name: Download specs artifacts
197201
uses: ./scripts/ci/actions/restore-artifacts
@@ -265,11 +269,11 @@ jobs:
265269
- name: Run e2e CTS
266270
id: cts-e2e
267271
continue-on-error: true
268-
if: ${{ !github.event.pull_request.head.repo.fork && !contains(format('{0} {1}', github.event.pull_request.title, github.event.head_commit.message), '[skip-e2e]') }}
272+
if: ${{ !contains(format('{0} {1}', github.event.pull_request.title, github.event.head_commit.message), '[skip-e2e]') }}
269273
run: yarn cli cts run javascript ${{ fromJSON(needs.setup.outputs.JAVASCRIPT_DATA).toRun }} --no-client --no-requests
270274

271275
- name: Retry e2e CTS
272-
if: ${{ !github.event.pull_request.head.repo.fork && steps.cts-e2e.outcome == 'failure' }}
276+
if: ${{ steps.cts-e2e.outcome == 'failure' }}
273277
run: yarn cli cts run javascript ${{ fromJSON(needs.setup.outputs.JAVASCRIPT_DATA).toRun }} --no-client --no-requests
274278

275279
- name: Run benchmarks
@@ -319,6 +323,8 @@ jobs:
319323
name: client ${{ matrix.client.language }}@${{ matrix.client.version }}
320324
steps:
321325
- uses: actions/checkout@v4
326+
with:
327+
ref: ${{ github.event.pull_request.head.sha }} # WARNING: this gives fork PR access to the github secrets
322328

323329
- name: Download specs artifacts
324330
uses: ./scripts/ci/actions/restore-artifacts
@@ -379,11 +385,11 @@ jobs:
379385
- name: Run e2e CTS
380386
id: cts-e2e
381387
continue-on-error: true
382-
if: ${{ !github.event.pull_request.head.repo.fork && !contains(format('{0} {1}', github.event.pull_request.title, github.event.head_commit.message), '[skip-e2e]') }}
388+
if: ${{ !contains(format('{0} {1}', github.event.pull_request.title, github.event.head_commit.message), '[skip-e2e]') }}
383389
run: yarn cli cts run ${{ matrix.client.language }} ${{ matrix.client.toRun }} --no-client --no-requests
384390

385391
- name: Retry e2e CTS
386-
if: ${{ !github.event.pull_request.head.repo.fork && steps.cts-e2e.outcome == 'failure' }}
392+
if: ${{ steps.cts-e2e.outcome == 'failure' }}
387393
run: yarn cli cts run ${{ matrix.client.language }} ${{ matrix.client.toRun }} --no-client --no-requests
388394

389395
- name: Run benchmarks
@@ -479,6 +485,8 @@ jobs:
479485
name: client swift${{ needs.setup.outputs.RUN_MACOS_SWIFT_CTS == 'true' && format('@{0}', fromJSON(needs.setup.outputs.SWIFT_DATA).version) || '' }} macos
480486
steps:
481487
- uses: actions/checkout@v4
488+
with:
489+
ref: ${{ github.event.pull_request.head.sha }} # WARNING: this gives fork PR access to the github secrets
482490

483491
- name: Download artifacts
484492
uses: ./scripts/ci/actions/restore-artifacts
@@ -527,9 +535,8 @@ jobs:
527535
- uses: actions/checkout@v4
528536
with:
529537
fetch-depth: 0
530-
ref: ${{ github.event.pull_request.head.ref }}
538+
ref: ${{ github.event.pull_request.head.sha }} # WARNING: this gives fork PR access to the github secrets
531539
token: ${{ secrets.ALGOLIA_BOT_TOKEN }}
532-
repository: ${{ github.event.pull_request.head.repo.full_name }}
533540

534541
- name: Download all artifacts
535542
uses: ./scripts/ci/actions/restore-artifacts
@@ -660,9 +667,8 @@ jobs:
660667
- uses: actions/checkout@v4
661668
with:
662669
fetch-depth: 0
663-
ref: ${{ needs.codegen.outputs.generatedCommit }}
670+
ref: ${{ github.event.pull_request.head.sha }} # WARNING: this gives fork PR access to the github secrets
664671
token: ${{ secrets.ALGOLIA_BOT_TOKEN }}
665-
repository: ${{ github.event.pull_request.head.repo.full_name }}
666672

667673
- name: Setup
668674
uses: ./.github/actions/setup

0 commit comments

Comments
 (0)