Comments (7)
ylemkimon
commented on July 16, 2024
7
tl;dr, change
on:
- pull_requestto
on:
- pull_request_targetGitHub has introduced a new event type: pull_request_target, which allows to run workflows from base branch and pass a token with write permission.
In order to solve this, we’ve added a new
pull_request_targetevent, which behaves in an almost identical way to thepull_requestevent with the same set of filters and payload. However, instead of running against the workflow and code from the merge commit, the event runs against the workflow and code from the base of the pull request. This means the workflow is running from a trusted source and is given access to a read/write token as well as secrets enabling the maintainer to safely comment on or label a pull request. This event can be used in combination with the private repository settings as well.
(Repost from #12 (comment))
from labeler.
Ecco
commented on July 16, 2024
1
Yes, this is terrible. It's even been reported on this repository as early as #12 , even though this is not specific to this repository.
Actually I took the time to write a comprehensive description of this problem on GitHub Community to explain the whole problem. Feel free to upvote it to raise awareness 😄
from labeler.
ekohl
commented on July 16, 2024
This is indeed a duplicate of #12
* I see no differenve form a forked and a not forked repo in this sense.
The action runs from the org of the source branch with the permissions of that. Since the fork doesn't have permissions to apply a label, it fails.
from labeler.
CsatariGergely
commented on July 16, 2024
@ekohl #12 have now an comment about everything, so I'm not sure if these are the same.
When a pr is created the action should run on the target repo and target branch not the source.
from labeler.
ekohl
commented on July 16, 2024
That's a limitation of Github Actions and AFAIK not something you can control. My guess is that they chose to do this because of security reasons.
from labeler.
damianh
commented on July 16, 2024
This such an annoying limitiation. The whole github premise is that when creating a fork, even from private repo's in an org, the fork goes to your personal account. It's not even possible to create a fork within the same user or org. This otherwise very useful action is useless for the standard operating proceedure. sigh
from labeler.
MaksimZhukov
commented on July 16, 2024
Hello everyone!
This issue has been open for a year without any activity, so I'm going to close it as stale.
Please contact us if you have any concerns.
Thanks!
from labeler.
Related Issues (20)
- Netatmo zusatz Innenmodul HOT 1
- sync-labels is (but shouldn't be) mandatory for jobs HOT 4
- Update default runtime to node20 HOT 2
- `Error: HttpError: Not Found` on v5 when using the `configuration-path` input HOT 4
- Dynamic label creation from path HOT 2
- found unexpected type for label 'xxxxxxxx' (should be array of config options) HOT 4
- Error: found unexpected type for label 'xxx' (should be array of config options) HOT 26
- Sync not working on labels with exceptions HOT 3
- Simpler structure for configuration. HOT 8
- Labeler does not work when i change tha base branch HOT 2
- Getting `sync-labels` type error after update to 5 version. HOT 4
- Create dynamic labels from branch name HOT 1
- any-glob-all-files does not working intuitevely HOT 4
- Sync-labels should not remove an unspecified label HOT 2
- Error when configuration is invalid HOT 1
- Branch name checks ignored as top level key HOT 2
- example fails yaml validation HOT 7
- Char HOT 1
- Node 16 gets warning HOT 2
- Description seems dangerous HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from labeler.