Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secrets are not available in Gitea Actions builds of PRs from repo forks when event is pull_request_target #25088

Closed
sebthom opened this issue Jun 5, 2023 · 7 comments · Fixed by #25229
Closed

Secrets are not available in Gitea Actions builds of PRs from repo forks when event is pull_request_target #25088

sebthom opened this issue Jun 5, 2023 · 7 comments · Fixed by #25229
Labels
type/bug

Comments

@sebthom
Copy link

sebthom commented Jun 5, 2023

Description

Secrets seem not to be populated in gitea action runs of PRs from repo forks.

I created a fork of a repo hosted in an org into my personal account. The repo uses secrets in the gitea action build.
When creating a PR to the upstream repo the gitea action builds fail, despite the given secret being defined in my repo fork as well as in the upstream repo.

When I merge such a PR and the gitea action runs in the upstream repo triggered by the branch push, then the run succeeds.

Gitea Version

1.19.3

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

Dockerized

Database

SQLite
@lunny lunny added issue/not-a-bug The reported issue is the intended behavior or the problem is not inside Gitea and removed type/bug labels Jun 6, 2023
@lunny
Copy link
Member

lunny commented Jun 6, 2023

It's by design for security reason.

@sebthom
Copy link
Author

sebthom commented Jun 6, 2023

It's by design for security reason.

That unfortunately makes the PR review process a bit useless and also is for example not how github actions works.

It would be great if this can be configured in app.ini (similar to the enablement of git hooks).

We for example need to checkout code from another repo in the same org (for which we need a token we store as secret) to generate/verify schema files and want to publish a container image based on the pr to the internal package registry for faster review purposes. for this we also need a token.

@sebthom
Copy link
Author

sebthom commented Jun 6, 2023

Gitea could also allow usage of tokens in PRs of all users that have write access to the PR target repo. Because in this case there is no additional security value by not populating the secrets.

@lunny
Copy link
Member

lunny commented Jun 6, 2023
edited
Loading

It's by design for security reason.

That unfortunately makes the PR review process a bit useless and also is for example not how github actions works.

It would be great if this can be configured in app.ini (similar to the enablement of git hooks).

We for example need to checkout code from another repository in the same org (for which we need a token we store as secret) to generate/verify schema files and want to publish a container image based on the pr to the internal package registry for faster review purposes. for this we also need a token.

I think the logic is similiar as Github's default settting. And in future we will have options in repository settings to change that.

This is only for fork repositories pull requests, for pull requests from the base repositories, they could read secrets.

@wolfogre
Copy link
Member

wolfogre commented Jun 6, 2023

See https://docs.github.com/en/actions/security-guides/encrypted-secrets#using-encrypted-secrets-in-a-workflow

With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.

@sebthom
Copy link
Author

sebthom commented Jun 6, 2023
edited
Loading

According https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/#improvements-for-public-repository-forks secrets are populated when using pull_request_target instead of pull_request.

I tried it and can confirm that for GitHub Actions:

However, Gitea Actions currently does not populate the secrets when using pull_request_target. Would be awesome if that can be changed.

@wolfogre
Copy link
Member

@sebthom Thanks for pointing it out. I get the point, Gitea doesn't support pull_request_target well, instead it treats it as pull_request.

@wolfogre wolfogre changed the title Secrets are not available in Gitea Actions builds of PRs from repo forks Secrets are not available in Gitea Actions builds of PRs from repo forks when event is pull_request_target Jun 12, 2023
@wolfogre wolfogre added type/bug and removed issue/not-a-bug The reported issue is the intended behavior or the problem is not inside Gitea labels Jun 12, 2023
@Zettat123 Zettat123 mentioned this issue Jun 13, 2023
Merged
lunny pushed a commit that referenced this issue Jun 26, 2023
@Zettat123
Support pull_request_target event (#25229)
48e5a74 
Fix #25088

This PR adds the support for
[`pull_request_target`](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target)
workflow trigger. `pull_request_target` is similar to `pull_request`,
but the workflow triggered by the `pull_request_target` event runs in
the context of the base branch of the pull request rather than the head
branch. Since the workflow from the base is considered trusted, it can
access the secrets and doesn't need approvals to run.
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support pull_request_target event Zettat123/gitea
3 participants
@lunny @sebthom @wolfogre