HyukjinKwon edited a comment on pull request #29333:
URL: https://github.com/apache/spark/pull/29333#issuecomment-668348425


   Just to share the current status,
   
   In 
[ScaCap/action-surefire-report](https://github.com/ScaCap/action-surefire-report)
 plugin (and all other similar plugins), it leverages `GITHUB_TOKEN` that is 
set by default in GitHub Actions. It uses GitHub API to create [status 
checks](https://docs.github.com/en/github/collaborating-with-issues-and-pull-requests/about-status-checks)
 via 
[here](https://github.com/ScaCap/action-surefire-report/blob/master/action.js#L42-L43)
 - it requires write permission to the repo. However, the permissions of 
`GITHUB_TOKEN` [does not cover the case when a PR was raised based on the 
fork](https://docs.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token).
   
   There are many similar issues and questions, for example, in 
[codecov](https://github.com/codecov/codecov-action/issues/29) or [GitHub 
community](https://github.community/t/make-secrets-available-to-builds-of-forks/16166).
 In case of Codecov, they managed to remove the requirement of `GITHUB_TOKEN` 
at 
[here](https://github.com/codecov/codecov-action/issues/29#issuecomment-595062189).
 Basically they used existing GitHub Actions environment variables to verify in 
their service. This is not feasible in our case because the plugin is dependent 
of GitHub API to create the status checks directly.
   
   I investigated this issue yesterday and concluded there's no clean 
workaround to make this working out of the box. 
   I am currently investigating the feasibility of _potential_ alternatives. I 
am not yet sure if all of them work or not:
   
   - Use one environment variable, for example, `TEST_REPORT_GITHUB_TOKEN` as a 
GitHub secret. And then, guide committers to set `TEST_REPORT_GITHUB_TOKEN` as 
a GitHub secret in their forks. Note that the contributors would be able to 
report the test results as their tokens don't have the write access to the repo.
   
   - Just run the test reports only in the commits of the repo and don't run 
them in PRs until GitHub provides an alternative to work around this. There 
looks many requests such as 
[this](https://github.community/t/make-secrets-available-to-builds-of-forks/16166).
   
   - Just generate a token that only has the permission to change the status 
checks, and hardcode it in the repo. At the worst case people abuse this token, 
the status checks of PRs or commits can be changed. This does not affect the 
codes and Jenkins runs as a safe guard so it might be fine. I wonder what 
people can get by abusing this status checks.
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org

Reply via email to