Have github action only run on master repo, and not on forks? #26409
-
I have an action that will always fail on forks due to the lack of secrets. When I set the action permissions to My test action on PRs fails. How would I about setting up required permissions? |
Beta Was this translation helpful? Give feedback.
Replies: 21 comments 5 replies
-
If you use the event
Currently there isn’t a way to control enable/disable state of workflows in forks. |
Beta Was this translation helpful? Give feedback.
-
I am checking out the branch… am I supposed to add the refs? also by pr target… I have
further more. What setting am I supposed to set?
|
Beta Was this translation helpful? Give feedback.
-
Local actions means those that are in your repo. (Of which you probably have none.) Here’s a PR action that does markdown linting on submissions to help you get a model/understanding of how things fit together: https://github.com/OWASP/wstg/blob/fd5674975bf20209c13e6a6195744e6cf35d0152/.github/workflows/md-lint-check.yml |
Beta Was this translation helpful? Give feedback.
-
With said changes. I get |
Beta Was this translation helpful? Give feedback.
-
Okay, so it’s running, that’s great! |
Beta Was this translation helpful? Give feedback.
-
Unfortunately no. Its just stuck there. |
Beta Was this translation helpful? Give feedback.
-
Is it a public repo, can you provide a link? |
Beta Was this translation helpful? Give feedback.
-
The gh-test workflow? (It was last updated 2h ago, but looking at your actions tab hasn’t been triggered in 7h.) Also your publish action is reporting a syntax issue: https://github.com/Upvision/upvision.github.io/actions/runs/339580524 |
Beta Was this translation helpful? Give feedback.
-
Yes I had to run tests locally and force merge, because i was on a schedule. The tests never run and await status to be reported. As for the syntax issue, it has something to do with the env action, as its documentation requires it to be configured that way. |
Beta Was this translation helpful? Give feedback.
-
The “Allow local actions only” option in the Organization settings means that the actions (don’t confuse with workflows) only defined in the repositories within current organization can be used in the workflows within current organization. The workflows within current organization can’t use the actions defined outside of current organization.
Because the “checkout” action and “setup-node” action are defined within the “actions” organization, not your organization “Upvision”. If you want to use the actions from other organizations, you can:
About workflows from fork repository, there also are some option you can use in the Organization settings. To view more details, you can see “Disabling or limiting GitHub Actions for your organization”. |
Beta Was this translation helpful? Give feedback.
-
I dont want the actions defined on the main repository to run on the forks. I do not want to expose secrets either. |
Beta Was this translation helpful? Give feedback.
-
You’re still confusing actions and workflows. You cannot stop forked repos from causing workflow runs by reducing actions permissions. What you want is to disable Run workflows from fork pull requests, but that isn’t available for regular accounts and it seems to be limited to private repos?
Blakeinstein:
They don’t run in forked repos by default, but it can be enabled by the owner of that fork. Note that this is different from pull requests being opened against your repo, which may trigger a workflow run on your end. What you could do is to only run jobs if the feature branch is in your repo (not in a fork):
|
Beta Was this translation helpful? Give feedback.
-
In that case you probably don’t need the That said, looking at your initial post it sounds like you want to run on PRs, just not the deploy stuff:
Blakeinstein:
I think the easiest solution is:
|
Beta Was this translation helpful? Give feedback.
-
I have a workflow that is triggered on pull requests, and that works as intended. But my main workflow that deploys the webpage, is also being run on forks. Its not an issue as they simply error out because of the lack of secrets. But I’d rather not have the workflows run on forks. |
Beta Was this translation helpful? Give feedback.
-
Adding conditions as I showed should be a viable solution then. Workflows will still be started on forks, but abort early without causing failed workflow runs. |
Beta Was this translation helpful? Give feedback.
-
@Simran-B gave the solution you want and need 😉 To make the condition more portable (copy/paste) in an organization or your own account you can just use the repository owner name as a condition to match. In your case just replace git.luolix.topUpvision/upvision.github.io/blob/41ac1a284e4b3accc09309d852ca3b477d1f395e/.github/workflows/gh-deploy.yml#L10-L11
with
For the forks not to be bothered with the failing workflow they just need to update to your version. |
Beta Was this translation helpful? Give feedback.
-
That is exactly what I needed! Thanks! Sorry for the earlier confusion! |
Beta Was this translation helpful? Give feedback.
-
Fwiw, what you're doing isn't really ideal. Instead of hardcoding "is my owner X", it's friendlier to add a condition that checks for the required secrets. This would allow someone else to provide compatible secrets for testing in their fork. In the simplest case, it can be something like this: For fancier cases, you can make a step w/ an output, or a job w/ an output and then condition other steps/jobs based on those outputs. |
Beta Was this translation helpful? Give feedback.
-
The way our organization uses forks, we never want forks of our repo to be able to run any GitHub actions. It's not a question of secrets and permissions, it's a more fundamental issue in that forks are only for working on content changes and submitting them (via PRs) to the original repo, they are not for managing anything like tracking issues or running actions. I think a setting is still needed to disallow GH actions on forked repos, not just something in the individual actions. I guess that's a feature request, since I don't think there's any such setting now. |
Beta Was this translation helpful? Give feedback.
@Simran-B gave the solution you want and need 😉
To make the condition more portable (copy/paste) in an organization or your own account you can just use the repository owner name as a condition to match.
In your case just replace
git.luolix.topUpvision/upvision.github.io/blob/41ac1a284e4b3accc09309d852ca3b477d1f395e/.github/workflows/gh-deploy.yml#L10-L11
with
For the forks not to be bothered with the failing workflow they just need to update to your version.