英文:
Permission to repo denied to github-actions for PR coming from a Fork only
问题
我们有一个GitHub Action,在PR上可以更改文件(比如运行fmt),在本地PR上运行良好,但是当PR来自一个FORK时,它会失败,并显示错误:“Permission to repo denied to github-actions[bot]”。
稍微调查一下似乎表明,来自FORK的PR的GITHUB_TOKEN始终设置为“只读”,而不管我们在yml的“permissions”部分或存储库GitHub Actions设置中设置了什么。
但在提到这一点的文档中,我看不到实际允许的解决方案...?
对此有解决方案吗?
英文:
We have a Github action that can change files(like running fmt) on PR and it works fine on local PR, but when the PR comes from a FORK, it fails with the error that "Permission to repo denied to github-actions[bot]".
Digging a bit seems to indicate that PR coming from FORKS have a GITHUB_TOKEN set to "read" only, no matter what we set in the yml "permissions" section or in the repo Github Actions setting.
But in the doc that mention this, I see no solution on how to actually allow it..?
Any solution to this?
答案1
得分: 1
这是GitHub采取的安全措施,以防止任意分支在您的存储库上运行操作。
如果您希望拉取请求具有写权限 并在目标存储库上运行,您可以使用 target: pull_request_target。
您可以在此处找到有关此内容的信息:https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
> 对于由 pull_request_target 事件触发的工作流,除非指定了 permissions 键并且工作流可以访问机密,否则 GITHUB_TOKEN 被授予读/写存储库权限,即使它是从分支触发的。
英文:
This is a security measure taken by github to prevent arbitrary forks from running actions on your repository.
If you want pull requests to have write permissions and to run on the target repository, you can use target: pull_request_target.
You can find information on this here: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target
> For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论