HyukjinKwon commented on pull request #29333: URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425
Just to share the current status, In [ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report) plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is set by default in GitHub Actions. It uses GitHub API to create [status checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks) via [here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43) - it requires write permission to the repo. However, the permissions of `GITHUB_TOKEN` [does not cover the case when a PR was raised based on the fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token). There are many similar issues and questions, for example, in [codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` at [here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189). Basically they used existing GitHub Actions environment to verify in their service. This is not feasible in our case because the plugin is dependent of GitHub API to create the status checks directly. I investigated this issue yesterday and concluded there's no clean workaround to make this working out of the box. I am currently investigating the feasibility of _potential_ alternatives. I am not sure if all of them work or not: - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as a GitHub secret in their forks. Note that the contributors would be able to report the test results as their tokens don't have the write access to the repo. - Just don't run this test report for now but wait until GitHub provides an alternative to work around this. There looks many requests such as [this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166). - Just generate a token that only has the permission to change the status checks, and hardcode it in the repo. At the worst case people abuse this token, the status of PRs are changed. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
