Fix access to secrets in GitHub Actions for PRs from third-party forks after approval

[ezekg]

Right now, when a PR is created from a third-party fork, our GitHub Actions secrets are not shared with the PR, which breaks the EE test suite (since EE requires a license file and license key). I want to adjust our CI workflow to allow third-party forks to have access to these secrets after the PR has been approved for a CI run. We don't allow Actions to run automatically for first-time contributors, so the risk of leaking secrets is low — and they're test secrets anyways, which will eventually expire.

If anybody has some knowledge here, I'd appreciate the help. I'd like to mirror what other open source projects do. This issue currently makes reviewing PRs a chore, since I have to run CI locally, which takes ~45 mins to run the full test suite.

Related: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/

[dreamorosi]

Hi @ezekg, we have a similar situation in our project for e2e tests.

In my project I created a workflow that I manually trigger when I want to run the tests, and that takes the PR number as an input.

In the action, I use the PR number to check out the fork from the contributor. At this point since I’m the actor having triggered the workflow, the action has access to all the secrets I have.

In our case we wanted to have the workflow run exclusively after the maintainer took action, so we kept it as a manual trigger.

What I do when reviewing a PR is usually take a look at the contribution, if it looks benign, then go manually trigger the workflow and have it run in the background while I continue the review.

If you wanted to skip a couple of clicks/pages, you could hook the trigger to either a label that you apply to the PR or a comment that you leave, and then use that event to do the same I described.