[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425 Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on a fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment variables to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not yet sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks so that the PRs report test results. Note that the contributors would _not_ be able to report the test results as their tokens don't have the write access to the repo. - Just run the test reports only in the commits of the repo and don't run them in PRs until GitHub provides an alternative to work around this. There look many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safeguard so it might be fine. I wonder what people can get by abusing this status checks. I opened an INFRA ticket in ASF and a Github Actions ticket in GitHub, and am discussing the options. Once I verify the feasible options, we will be able to discuss further which one to pick (or just drop the PR at the worst case). This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425 Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on a fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment variables to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not yet sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks so that the PRs report test results. Note that the contributors would _not_ be able to report the test results as their tokens don't have the write access to the repo. - Just run the test reports only in the commits of the repo and don't run them in PRs until GitHub provides an alternative to work around this. There look many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safeguard so it might be fine. I wonder what people can get by abusing this status checks. I opened an INFRA ticket in ASF and a ticket for Github Actions, and am discussing the options. Once I verify the feasible options, we will be able to discuss further which one to pick (or just drop the PR at the worst case). This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425 Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on the fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment variables to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not yet sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks so that the PRs report test results. Note that the contributors would _not_ be able to report the test results as their tokens don't have the write access to the repo. - Just run the test reports only in the commits of the repo and don't run them in PRs until GitHub provides an alternative to work around this. There look many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safeguard so it might be fine. I wonder what people can get by abusing this status checks. I opened an INFRA ticket in ASF and a ticket for Github Actions, and am discussing the options. Once I verify the feasible options, we will be able to discuss further which one to pick (or just drop the PR at the worst case). This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425 Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on the fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment variables to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not yet sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks so that the PRs report test results. Note that the contributors would _not_ be able to report the test results as their tokens don't have the write access to the repo. - Just run the test reports only in the commits of the repo and don't run them in PRs until GitHub provides an alternative to work around this. There look many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safeguard so it might be fine. I wonder what people can get by abusing this status checks. I opened an INFRA ticket in ASF and a ticket for Github Actions, and am discussing the options. Once I verify the feasible options, we will be able to discuss further which one to pick (or just drop the PR at worst case). This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668353951 BTW, let me know if you guys have a preference in one of the options. I can investigate fewer options in this case. Adding @srowen, @gatorsmile, @cloud-fan as well to collect more feedback. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425 Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on the fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment variables to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not yet sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks so that the PRs report test results. Note that the contributors would _not_ be able to report the test results as their tokens don't have the write access to the repo. - Just run the test reports only in the commits of the repo and don't run them in PRs until GitHub provides an alternative to work around this. There looks many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safeguard so it might be fine. I wonder what people can get by abusing this status checks. I opened an INFRA ticket in ASF and a ticket for Github Actions, and am discussing the options. Once I verify the feasible options, we will be able to discuss further which one to pick (or just drop the PR at worst case). This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425 Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on the fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment variables to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not yet sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks so that the PRs report test results. Note that the contributors would _not_ be able to report the test results as their tokens don't have the write access to the repo. - Just run the test reports only in the commits of the repo and don't run them in PRs until GitHub provides an alternative to work around this. There looks many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safeguard so it might be fine. I wonder what people can get by abusing this status checks. I opened several an INFRA ticket in ASF and a ticket for Github Actions, and am discussing the options. Once I verify the feasible options, we will be able to discuss further which one to pick (or just drop the PR at worst case). This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425 Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on the fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment variables to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not yet sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks so that the PRs report test results. Note that the contributors would _not_ be able to report the test results as their tokens don't have the write access to the repo. - Just run the test reports only in the commits of the repo and don't run them in PRs until GitHub provides an alternative to work around this. There looks many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safeguard so it might be fine. I wonder what people can get by abusing this status checks. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425 Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on the fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment variables to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not yet sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks so that the PRs report test results. Note that the contributors would _not_ be able to report the test results as their tokens don't have the write access to the repo. - Just run the test reports only in the commits of the repo and don't run them in PRs until GitHub provides an alternative to work around this. There looks many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safe guard so it might be fine. I wonder what people can get by abusing this status checks. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425 Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on the fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment variables to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not yet sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks. Note that the contributors would _not_ be able to report the test results as their tokens don't have the write access to the repo. - Just run the test reports only in the commits of the repo and don't run them in PRs until GitHub provides an alternative to work around this. There looks many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safe guard so it might be fine. I wonder what people can get by abusing this status checks. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425 Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on the fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment variables to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not yet sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks. Note that the contributors would be able to report the test results as their tokens don't have the write access to the repo. - Just run the test reports only in the commits of the repo and don't run them in PRs until GitHub provides an alternative to work around this. There looks many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safe guard so it might be fine. I wonder what people can get by abusing this status checks. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425 Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on the fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment variables to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks. Note that the contributors would be able to report the test results as their tokens don't have the write access to the repo. - Just run the test reports only in the commits of the repo and don't run them in PRs until GitHub provides an alternative to work around this. There looks many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safe guard so it might be fine. I wonder what people can get by abusing this status checks. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425 Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on the fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks. Note that the contributors would be able to report the test results as their tokens don't have the write access to the repo. - Just run the test reports only in the commits of the repo and don't run them in PRs until GitHub provides an alternative to work around this. There looks many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safe guard so it might be fine. I wonder what people can get by abusing this status checks. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
[GitHub] [spark] HyukjinKwon edited a comment on pull request #29333: [WIP][SPARK-32357][INFRA] Publish failed and succeeded test reports in GitHub Actions
HyukjinKwon edited a comment on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425 Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on the fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks. Note that the contributors would be able to report the test results as their tokens don't have the write access to the repo. - Just don't run this test report for now but wait until GitHub provides an alternative to work around this. There looks many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status checks of PRs or commits can be changed. This does not affect the codes and Jenkins runs as a safe guard so it might be fine. I wonder what people can get by abusing this status checks. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
