Action does not work on PRs from forks

[aeneasr]

As a large open source organization, we follow GitHub's best practices to have two orgs:

1. An open source org github.com/ory
2. An enterprise org github.com/ory-corp

This allows us to invite unlimited collaborators to the open source projects, while staying compliant in all aspects of closed source development.

When users create PRs against our open source ecosystem, this usually happens on forks. The problem is that the GitHub Secret containing the personal access token that this action needs, is not available on forked repositories.

This leads the action to fail to run when a PR from a fork is added:

https://github.com/ory/kratos/runs/7496471335?check_suite_focus=true

Since we use the boards to also manage open source reviews as part of the product development activities, it would be awesome if PRs from forks could also somehow be added to the board.

To solve this, this action could also support a cron-style job which synchronizes all PRs and all issues to the board. This would allow us to sync "missed" PRs from forks because the cron job runs in the root org and has access to the secret.

[mschile]

I believe you can use the pull_request_target event instead of pull_request since pull_request_target has access to the secrets.

https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

[aaronshurley]

@mschile Thank you, that does work. Just so folks know, there are security implications with this approach: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/

[camchenry]

👋 Thank you for the feedback! I don't believe this is something that we currently support through this action. We have an item in our roadmap for automatically adding issues and pull requests to projects, as well as some new automation features related to that. I've passed on this feedback directly to the teams working on this functionality. If you have any additional information or feedback, please feel free to comment!

[wangela]

I saw see in the documentation for Using encrypted secrets in a workflow that "With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository."

This is a problem for us, as we need to inject an API key to run tests on PRs. The API key is stored in encrypted secrets, but if the test workflows cannot access the secret when run from a forked PR (i.e. any open source contributor who is not an admin), then we cannot ensure that the PRs pass tests before merging them.

The documentation linked above does not offer a workaround or alternative approach. Is support for encrypted secrets in workflows on fork PRs a feature request that you have on your backlog or do I need to find an alternative method for securely injecting API keys into open source test workflows?