Michael added a comment.
In T283911#7169942 <https://phabricator.wikimedia.org/T283911#7169942>, @Lucas_Werkmeister_WMDE wrote: > I’m not sure about the first-time contributors things, but as I understand it, the main problem is that pull requests from forks won’t have access to secrets, so they’ll be missing various API keys. Yes, and I think this is as good as we can (safely) do in this regard. This blog post goes into a bit more detail as to why: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/ As far as I can see it:, you already specified it well: [ ] Make the things that //can// run without secrets (i.e. basic CI), run automatically on pull requests from forks as well. [ ] Create some kind of documentation/instructions for how to manually run the rest of CI <https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks> (netlify, saucelabs) after review, so that the patch can be merged. TASK DETAIL https://phabricator.wikimedia.org/T283911 EMAIL PREFERENCES https://phabricator.wikimedia.org/settings/panel/emailpreferences/ To: Michael Cc: Michael, Lucas_Werkmeister_WMDE, Addshore, bete, Jakob_WMDE, Aklapper, Tonina_Zhelyazkova_WMDE, Invadibot, maantietaja, Akuckartz, Iflorez, alaa_wmde, Nandana, Lahi, Gq86, GoranSMilovanovic, QZanden, LawExplorer, _jensen, rosalieper, Scott_WUaS, Jonas, Volker_E, Wikidata-bugs, aude, Lydia_Pintscher, Mbch331
_______________________________________________ Wikidata-bugs mailing list -- [email protected] To unsubscribe send an email to [email protected]
