Pipelines not being able to use Eco CI token

[ArneTR]

At the moment when we get external PRs the secrects cannot be used.

However we store Eco CI API credentials and also Electricitymaps tokens in the secrets and want to track carbon emissions also for external PRs.

What I did:

• Moved pipelines to pull_request_target instead of pull_request
  • This helped with access to the secrets.
  • However now always main was checked out as github.ref was always main. This can be fixed, but ...
  • Now once given permissions to run Github actions the pipeline would ALWAYS run when a new push was done. this is a security issue. We would need that the pipeline runs only once and needs permissions for every new commit

Or we find another way to use the secrets ...

[ribalba]

So I time boxed this to 3 hours which I have now reached. There is a way to achieve this by using environments [0]. But this is very cumbersome. I can't find a solution how to do this "easily" without compromising security.

We could also use something like this https://github.com/marketplace/actions/manual-workflow-approval but I think this adds quite a lot of overhead.

[0] https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-deployments/managing-environments-for-deployment#required-reviewers

[ArneTR]

Hmm, this action is sadly a security nightmare. Although we could pin it with a hash it uses an unpinned docker dependency that can be changed anytime.

Although it looks like a good solution I argue it is more like getting a lemon ...

sad to hear it is not possible atm. Will move this to a discussion so we keep the idea open

[ribalba]

What we could also do is something like

on:
  issue_comment:
    types: [created]

jobs:
  run-tests:
    if: ${{ github.event.comment.body == 'Run Tests' }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - name: Run tests
        run: pytest ...

Like this we would always need to comment on a PR to run the tests. The more I think about this I like the idea more and more as currently we run the tests on every push which is mostly not needed. Like this we could run the tests before merge. Would save a lot of CI/CD minutes (and CO2) also if we do this we could run the workflow in the repository context as we would have to allow the test to be run each time.