banner
Birdgg

Birdgg

Keep it simple, stupid!
bilibili
github
twitter
telegram
email
HomeArchivesWeeklyAbout

记录解决 xLog github actions 权限问题

#Programming902
AI-generated summary
The author encountered an error while submitting a PR to xLog due to a lack of write permissions for third-party fork repositories. After researching, they found a solution using the pull_request_target event, but also discovered a warning about potential security risks. They ultimately split their Next.js Bundle Analysis workflow into two files to address the issue. The first file uploads necessary results, while the second file downloads and updates the PR with the results.
image

Updates: 还需要在 repo 设置 - Action - 开启读写权限,不然还是无权限。感谢 @innei-4525 大佬提醒

周三向 xLog 提交 PR 时,发现一项检测没有通过。打开报错信息一看, 是 Next.js Bundle Analysis 工作流尝试创建评论失败。

Run peter-evans/create-or-update-comment@v2
Error: Resource not accessible by integration
Error: See this action's readme for details about this error

晚上发现 Innei 大佬还在解决该问题,我知道贴贴的机会来了(逃

在查阅了 peter-evans/create-or-update-comment 的 README 和 issue 之后,我发现在 pull_request 事件触发器下,第三方 fork 仓库在提交 PR 时缺乏写权限,无法创建 PR 评论。README 建议使用 pull_request_target 作为事件触发器以解决该问题。

Note: In public repositories this action does not work in pull_request workflows when triggered by forks. Any attempt will be met with the error, Resource not accessible by integration. This is due to token restrictions put in place by GitHub Actions. Private repositories can be configured to enable workflows from forks to run without restriction. See here for further explanation. Alternatively, use the pull_request_target event to comment on pull requests.

于是又去查看 github 官方文档对于 pull_request_target 的说明,发现有一段 Warning。

Warning: For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork. Although the workflow runs in the context of the base of the pull request, you should make sure that you do not check out, build, or run untrusted code from the pull request with this event. Additionally, any caches share the same scope as the base branch. To help prevent cache poisoning, you should not save the cache if there is a possibility that the cache contents were altered. For more information, see "Keeping your GitHub Actions and workflows secure: Preventing pwn requests" on the GitHub Security Lab website.

大致意思是 pull_request_target 为来自 fork 仓库提交的 PR 提供了对目标仓库的读写权限,因此恶意 PR 可能引发安全隐患,使用时需谨慎选择适用场景。在警告中的文章 Keeping your GitHub Actions and workflows secure: Preventing pwn requests 中,详细阐述了这个问题,并提供了一个既能更新 PR 评论,又能避免使用 pull_request_target 的解决方案。该方案将整个工作流拆分为两个部分:首先,使用 pull_request 触发可能包含不安全代码的工作流,上传需要的结果(如代码测试结果、覆盖率);接着,在具有写权限的 workflow_on 中下载这些结果并更新 PR。

根据该方案,我们把 Next.js Bundle Analysis 工作流拆分成两个文件。

nextjs_bundle_analysis.yml

name: "Next.js Bundle Analysis"

on:
  pull_request:

jobs:
  analyze:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      # build process

      - name: Upload analysis
        if: success() && github.event.number
        uses: actions/upload-artifact@v2
        with:
          name: analysis_comment
          path: .next/analyze/__bundle_analysis_comment.txt

      - name: Save PR number
        if: ${{ always() }}
        run: echo ${{ github.event.number }} > ./pr-id.txt

      - name: Upload PR number
        if: ${{ always() }}
        uses: actions/upload-artifact@v2
        with:
          name: pr
          path: ./pr-id.txt

comment-pr.yml

name: Comment on the pull request

# read-write repo token
# access to secrets
on:
  workflow_run:
    workflows: ["Next.js Bundle Analysis"]
    types:
      - completed

jobs:
  upload:
    runs-on: ubuntu-latest
    if: >
      github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.conclusion == 'success'
    steps:
      - name: download pr artifact
        uses: dawidd6/action-download-artifact@v2
        with:
          workflow: ${{ github.event.workflow_run.workflow_id }}
          name: pr

      - name: save PR id
        id: pr
        run: echo "::set-output name=id::$(<pr-id.txt)"

      - name: download analysis comment
        uses: dawidd6/action-download-artifact@v2
        with:
          workflow: ${{ github.event.workflow_run.workflow_id }}
          name: analysis_comment
          path: .next/analyze

      - name: Get Comment Body
        id: get-comment-body
        if: success() && steps.pr.outputs.id
        run: |
          echo "body<<EOF" >> $GITHUB_OUTPUT
          echo "$(cat .next/analyze/__bundle_analysis_comment.txt)" >> $GITHUB_OUTPUT
          echo EOF >> $GITHUB_OUTPUT

      - name: Find Comment
        uses: peter-evans/find-comment@v2
        if: success() && steps.pr.outputs.id
        id: fc
        with:
          issue-number: ${{ steps.pr.outputs.id }}
          body-includes: "<!-- __NEXTJS_BUNDLE -->"

      - name: Create Comment
        uses: peter-evans/create-or-update-comment@v2
        if: success() && steps.pr.outputs.id && steps.fc.outputs.comment-id == 0
        with:
          issue-number: ${{ steps.pr.outputs.id }}
          body: ${{ steps.get-comment-body.outputs.body }}

      - name: Update Comment
        uses: peter-evans/create-or-update-comment@v2
        if: success() && steps.pr.outputs.id && steps.fc.outputs.comment-id != 0
        with:
          issue-number: ${{ steps.pr.outputs.id }}
          body: ${{ steps.get-comment-body.outputs.body }}
          comment-id: ${{ steps.fc.outputs.comment-id }}
          edit-mode: replace

至此问题解决。

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.