Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PRs created don't trigger other actions #48

Closed
abatilo opened this issue Sep 28, 2019 · 31 comments · Fixed by hapijs/tlds#9
Closed

PRs created don't trigger other actions #48

abatilo opened this issue Sep 28, 2019 · 31 comments · Fixed by hapijs/tlds#9
Labels
has workaround This issue has a workaround

Comments

@abatilo
Copy link

abatilo commented Sep 28, 2019

It seems that any PRs that get created by this action will not trigger any actions waiting on a pull request event, which means that you can have any required status checks.

Any ideas for how to get around this?

@peter-evans
Copy link
Owner

peter-evans commented Sep 28, 2019

This is a deliberate limitation imposed by GitHub Actions that an action cannot trigger other workflows. From the documentation:

An action in a workflow run can't trigger a new workflow run. For example, if an action pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.

https://help.github.com/en/articles/events-that-trigger-workflows#example-using-more-than-one-event

I'm not sure if there are any work arounds. I guess you would need another event to trigger the additional workflow.

@peter-evans
Copy link
Owner

peter-evans commented Sep 28, 2019

I've found a work around. It looks like GitHub are determining that API calls are coming from actions by checking the authentication token. If you use a repo scoped token instead of the default GITHUB_TOKEN then the on: pull_request workflow will run checks against the created pull request.

Create a repo scoped token at https://github.com/settings/tokens and then add it as a secret to the repository your workflow runs in. It will be under https://github.com/[username]/[repo]/settings/secrets

Use that secret in your workflow and assign it to the environment variable GITHUB_TOKEN.

    - name: Create Pull Request
      uses: peter-evans/create-pull-request@v1.3.1
      env:
        GITHUB_TOKEN: ${{ secrets.REPO_SCOPED_TOKEN }}

There is a downside to this method. The PR is no longer created by the github-actions bot user and instead appears to be created by the user associated with the token.

image

@peter-evans
Copy link
Owner

I contacted GitHub about this issue and their response confirms that using a personal token as I outlined above is the correct approach.

From GitHub Support:

This is a deliberate decision by the Actions team in order to prevent accidental "infinite loop" situations, and as an anti-abuse measure.
You will be able to work around this using a Personal Access Token in place of the provided token. As this needs to be explicitly provided it will remove any potential for possible abuse, so we recommend using this method when needing to create a pull request.

@Mike-E-angelo
Copy link

Mike-E-angelo commented Dec 4, 2019

Ah what a pain. Resorting to a token that applies to every repository of the user without being able to scope specifically to the desired repository is quite the security concern.

(My complaints are to GitHub, not this repo BUT SOMEONE MUST HEAR ME AS I SHOUT POWERLESS INTO THE VOID!! 😅)

@Mike-E-angelo
Copy link

Hey all, check it out... another possible workaround is to use an on.schedule.cron trigger as discussed here:

pascalgn/automerge-action#37 (comment)

Here's my (sample/testing 😁) configuration:

https://github.com/ExtendedXmlSerializer/NextRelease/blob/959614d9e72c08f80d7e71a0e52265a42ed91c75/.github/workflows/automerge.yml#L25-L30

Not as elegant as a direct trigger, but certainly better than having to resort to a Personal Access Token.

Thought I'd share. 👍

@dogmatic69
Copy link

There is a massive drawback to using this token, if a repository owner uses a personal token they will not be able to request changes nor approve a PR. This is due to the fact that the PR will be created by the owner.

@peter-evans
Copy link
Owner

Thanks to @proudust for bringing it to my attention, an alternative to using a PAT is SSH Deploy keys that can be set per repository. See the documentation here for how to use Deploy keys with create-pull-request action. Note that this method will only trigger push workflows, not pull_request, so checks must be in an on: push workflow.

@peter-evans
Copy link
Owner

Using deploy keys is now even easier because actions/checkout now supports checkout with SSH keys. See the updated documentation here.

@brockfanning
Copy link

Sorry if this has been explained - do I understand correctly that if the repository needs to have workflows triggered on pull_request and has a branch rule requiring that status checks pass, a PAT is the only option? Otherwise, the generated PR will be stuck in "Waiting for status to be reported" and won't be able to be merged?

@peter-evans
Copy link
Owner

peter-evans commented Apr 5, 2020

@brockfanning There are actually a number of different workarounds now with various pros and cons. I've summarised them and updated the documentation here.

https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#triggering-further-workflow-runs

@gladykov
Copy link

I was able to trigger actions, using Fine-grained personal access token (BETA) , with those permissions:

Actions R/W
Contents R/W
Pull requests R/W
Workflows R/W

Didn't test if this is minimal set of permissions, probably can be limited even more:

@vincerubinetti
Copy link

vincerubinetti commented Aug 7, 2024

Peter, thanks for writing up an explanation of this issue and the workarounds, even though it's not really your responsibility.

Fwiw, this is my situation. I maintain a website template where I try to automate as much as possible for the (often low-technical-knowledge) user. As such, I can't ask the user to create personal access tokens and things like that. So asking them to close/reopen by clicking a big red/green button is the best and most elegant workaround.

I'm also making use of the body field to help the user with this. I'd recommend anyone else using this working around to do the same.

uses: peter-evans/create-pull-request@v6
with:
  body: To run workflows on this PR, close (don't merge) and reopen it.

@peter-evans
Copy link
Owner

@vincerubinetti I can understand how that might be the best option for non-technical users. There's a similar approach that @bmacher commented here, that also might work for you.

I chose the workaround to create the pull requests as drafts and trigger the workflow on ready_for_review.

egargan added a commit to guardian/interactive-component-library that referenced this issue Aug 13, 2024
As discussed here, workflows cannot be triggered for PRs created by bot accounts.

peter-evans/create-pull-request#48

There are workarounds, but they involve more work than they're worth.
For now, let's assume that these auto-version- branches don't need to be
linted. They only make a single change to package.json, anyway.
egargan added a commit to guardian/interactive-component-library that referenced this issue Aug 13, 2024
As discussed here, workflows cannot be triggered for PRs created by bot accounts.

peter-evans/create-pull-request#48

There are workarounds, but they involve more work than they're worth.
For now, let's assume that these auto-version- branches don't need to be
linted. They only make a single change to package.json, anyway.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
has workaround This issue has a workaround
Projects
None yet
Development

Successfully merging a pull request may close this issue.