3

I am using a github action that compares benchmark results and posts them as a comment on the PR. This is the actions file - https://github.com/smrpn/criterion-compare-action/blob/move_to_actions/main.js

it says -

try {
    await octokit.issues.createComment({
      ...context.repo,
      issue_number: context.payload.pull_request.number,
      body: resultsAsMarkdown,
    });
  } catch (e) {
    // If we can't post to the comment, display results here.
    // forkedRepos only have READ ONLY access on GITHUB_TOKEN
    // https://github.community/t5/GitHub-Actions/quot-Resource-not-accessible-by-integration-quot-for-adding-a/td-p/33925
    const resultsAsObject = convertToTableObject(myOutput);
    
    fs.writeFile('benchResults.txt', resultsAsObject, (err) => {
        if (err) throw err;
    });
    console.table(resultsAsObject);
    console.log("Failed to comment\n", e);
    core.debug(e);
    core.debug("Failed to comment");
  }

I'm using a another token made for this purpose(commenting the benchmark results) - BENCHMARK_TOKEN. But it does not comment when the PR is from a forked repo. This is the problem right now - https://github.com/hackerchai/casbin-rs/runs/2648902413#step:5:614

What is the fix? I want a comment by the github bot on every PR.

eth_sign
  • 63
  • 7

1 Answers1

3

you can use the pull_request_target event to comment on pull requests opened on forks. See more details here.

Notice that this runs on the base of the fork in order to not run unsafe code. Here's an example of using the event

This is the warning from the GitHub Docs:

Warning: The pull_request_target event is granted a read/write repository token and can access secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should make sure that you do not check out, build, or run untrusted code from the pull request with this event. Additionally, any caches share the same scope as the base branch, and to help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered. For more information, see "Keeping your GitHub Actions and workflows secure: Preventing pwn requests" on the GitHub Security Lab website.

Thatkookooguy
  • 6,669
  • 1
  • 29
  • 54
  • I'm using the same code as used in https://github.com/boa-dev/boa. See this - https://github.com/boa-dev/boa/blob/master/.github/workflows/pull_request.yml. And it is working in this repo - https://github.com/boa-dev/boa/pull/1236. Can't understand, why it's working there and not in my case. – eth_sign Jun 06 '21 at 06:31
  • @noob.rs I'm pretty sure it does work on that repo as well :-). The [PR you sent](https://github.com/boa-dev/boa/pull/1236) is not made against a fork. So, the comment worked. But if you will look at [this](https://github.com/boa-dev/boa/pull/1363) or [this](https://github.com/boa-dev/boa/pull/1364), these are made from forks, the GitHub action ran on them ([here](https://github.com/boa-dev/boa/actions/runs/972818814) and [here](https://github.com/boa-dev/boa/actions/runs/973306096)), but no comment was added to them. – Thatkookooguy Jun 27 '21 at 12:43
  • 1
    @noob.rs so, they face the same problem. And the way to fix this error (a comment is not added on a PR from a fork), is by using `pull_request_target` AFAIK. – Thatkookooguy Jun 27 '21 at 12:45
  • The only secret you'll have access to is the GITHUB_TOKEN which should work to some extent. But GitHub is blocking any access to any other secret in order to protect your data from getting leaked through a GitHub action running on a forked code (which can save those secrets elsewhere if they had access to it). – Thatkookooguy Jun 27 '21 at 12:49