更新:還需要在 repo 設置 - Action - 開啟讀寫權限,不然還是無權限。感謝 @innei-4525 大佬提醒
周三向 xLog 提交 PR 時,發現一項檢測沒有通過。打開報錯信息一看,是 Next.js Bundle Analysis 工作流嘗試創建評論失敗。
Run peter-evans/create-or-update-comment@v2
Error: Resource not accessible by integration
Error: See this action's readme for details about this error
晚上發現 Innei 大佬還在解決該問題,我知道貼貼的機會來了(逃
在查閱了 peter-evans/create-or-update-comment 的 README 和 issue 之後,我發現在 pull_request 事件觸發器下,第三方 fork 倉庫在提交 PR 時缺乏寫權限,無法創建 PR 評論。README 建議使用 pull_request_target 作為事件觸發器以解決該問題。
Note: In public repositories this action does not work in pull_request workflows when triggered by forks. Any attempt will be met with the error, Resource not accessible by integration. This is due to token restrictions put in place by GitHub Actions. Private repositories can be configured to enable workflows from forks to run without restriction. See here for further explanation. Alternatively, use the pull_request_target event to comment on pull requests.
於是又去查看 github 官方文檔對於 pull_request_target 的說明,發現有一段 Warning。
Warning: For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should make sure that you do not check out, build, or run untrusted code from the pull request with this event. Additionally, any caches share the same scope as the base branch. To help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered. For more information, see "Keeping your GitHub Actions and workflows secure: Preventing pwn requests" on the GitHub Security Lab website.
大致意思是 pull_request_target 為來自 fork 倉庫提交的 PR 提供了對目標倉庫的讀寫權限,因此惡意 PR 可能引發安全隱患,使用時需謹慎選擇適用場景。在警告中的文章 Keeping your GitHub Actions and workflows secure: Preventing pwn requests 中,詳細闡述了這個問題,並提供了一個既能更新 PR 評論,又能避免使用 pull_request_target 的解決方案。該方案將整個工作流拆分為兩個部分:首先,使用 pull_request 觸發可能包含不安全代碼的工作流,上傳需要的結果(如代碼測試結果、覆蓋率);接著,在具有寫權限的 workflow_on 中下載這些結果並更新 PR。
根據該方案,我們把 Next.js Bundle Analysis 工作流拆分成兩個文件。
nextjs_bundle_analysis.yml
name: "Next.js Bundle Analysis"
on:
pull_request:
jobs:
analyze:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# build process
- name: Upload analysis
if: success() && github.event.number
uses: actions/upload-artifact@v2
with:
name: analysis_comment
path: .next/analyze/__bundle_analysis_comment.txt
- name: Save PR number
if: ${{ always() }}
run: echo ${{ github.event.number }} > ./pr-id.txt
- name: Upload PR number
if: ${{ always() }}
uses: actions/upload-artifact@v2
with:
name: pr
path: ./pr-id.txt
comment-pr.yml
name: Comment on the pull request
# read-write repo token
# access to secrets
on:
workflow_run:
workflows: ["Next.js Bundle Analysis"]
types:
- completed
jobs:
upload:
runs-on: ubuntu-latest
if: >
github.event.workflow_run.event == 'pull_request' &&
github.event.workflow_run.conclusion == 'success'
steps:
- name: download pr artifact
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
name: pr
- name: save PR id
id: pr
run: echo "::set-output name=id::$(<pr-id.txt)"
- name: download analysis comment
uses: dawidd6/action-download-artifact@v2
with:
workflow: ${{ github.event.workflow_run.workflow_id }}
name: analysis_comment
path: .next/analyze
- name: Get Comment Body
id: get-comment-body
if: success() && steps.pr.outputs.id
run: |
echo "body<<EOF" >> $GITHUB_OUTPUT
echo "$(cat .next/analyze/__bundle_analysis_comment.txt)" >> $GITHUB_OUTPUT
echo EOF >> $GITHUB_OUTPUT
- name: Find Comment
uses: peter-evans/find-comment@v2
if: success() && steps.pr.outputs.id
id: fc
with:
issue-number: ${{ steps.pr.outputs.id }}
body-includes: "<!-- __NEXTJS_BUNDLE -->"
- name: Create Comment
uses: peter-evans/create-or-update-comment@v2
if: success() && steps.pr.outputs.id && steps.fc.outputs.comment-id == 0
with:
issue-number: ${{ steps.pr.outputs.id }}
body: ${{ steps.get-comment-body.outputs.body }}
- name: Update Comment
uses: peter-evans/create-or-update-comment@v2
if: success() && steps.pr.outputs.id && steps.fc.outputs.comment-id != 0
with:
issue-number: ${{ steps.pr.outputs.id }}
body: ${{ steps.get-comment-body.outputs.body }}
comment-id: ${{ steps.fc.outputs.comment-id }}
edit-mode: replace
至此問題解決。