HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425
Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on the fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment variables to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not yet sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks. Note that the contributors would be able to report the test results as their tokens don't have the write access to the repo. - Just run the test reports only in the commits of the repo and don't run them in PRs until GitHub provides an alternative to work around this. There looks many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safe guard so it might be fine. I wonder what people can get by abusing this status checks. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
