danger-js: Github Action fails when PR comes from forked repo

Problem

Danger crashes when I accept a PR from the fork: https://github.com/sobolevn/itmo-2019/pull/18/checks?check_run_id=222332195

But, works well when I create PRs inside the repo: https://github.com/sobolevn/itmo-2019/pulls?q=is%3Apr+is%3Aclosed (just an example).

My configuration:

name: comments

on: [pull_request]

jobs:
  danger:

    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@master
    - name: Danger JS Action
      uses: danger/danger-js@9.1.8
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Link: https://github.com/sobolevn/itmo-2019/blob/master/.github/workflows/review.yml

Output

 Danger JS Action5s
##[error]Docker run failed with exit code 1
Run danger/danger-js@9.1.8
  env:
    GITHUB_TOKEN: ***
/usr/bin/docker run --name df7dcddf0fc01b57b4276b942607159610154_53cda2 --label 0df7dc --workdir /github/workspace --rm -e GITHUB_TOKEN -e HOME -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/itmo-2019/itmo-2019":"/github/workspace" 0df7dc:ddf0fc01b57b4276b942607159610154

Failing the build, there is 1 fail.
Request failed [403]: https://api.github.com/repos/sobolevn/itmo-2019/issues/18/comments
Response: {
  "message": "Resource not accessible by integration",
  "documentation_url": "https://developer.github.com/v3/issues/comments/#create-a-comment"
}
Feedback: undefined
##[error]Docker run failed with exit code 1

Image (in case output it is easier to read):

Possible reason

I guess that this is possibly related with how GITHUB_TOKEN works for forked repos: https://help.github.com/en/articles/virtual-environments-for-github-actions#github_token-secret

And I have no ideas, how to fix it. [Official docs] do not say much about this problem: https://danger.systems/js/guides/getting_started.html#setting-up-danger-to-run-on-your-ci Moreover, I cannot find any other real-world usage of danger-js as an action. So, I cannot verify that it also happens to other users as well.

Any ideas where to look?

About this issue

Original URL
State: open
Created 5 years ago
Reactions: 3
Comments: 22 (14 by maintainers)

Commits related to this issue

Try running Danger using GitHub checks As suggested here https://github.com/danger/danger-js/issues/918#issuecomment-645994567 — committed to mokagio/WordPress-iOS by mokagio 4 years ago
Revert "Update `GITHUB_TOKEN` environment variable for Danger (#10365)" Danger doesn't appear to work with PRs from forks: https://github.com/danger/danger-js/issues/918 Will need to research this s... — committed to zed-industries/zed by maxdeviant 3 months ago
Proxy Danger requests through a proxy service (#10395) This PR updates Danger to proxy its requests to GitHub through a proxy service. ## Motivation Currently Danger is not able to run on PRs ... — committed to zed-industries/zed by maxdeviant 3 months ago

Most upvoted comments

I had a play around, and it’s relatively straightforward to understand whether Danger is running on a PR originated from a fork.

I came up with this simple dangerfile.ts:

const headRepoName = danger.github.pr.head.repo.full_name
const baseRepoName = danger.github.pr.base.repo.full_name

if headRepoName != baseRepoName {
  // This is shown inline in the output
  console.log("\033[1;31mRunning from a forked repo. Danger won't be able to post comments on the main repo unless GitHub Actions are enabled on the fork, too.\033[0m")

  // This is shown inline in the output and also integrates with the GitHub 
  // Action reporting UI and produces a warning
  console.log("##[warning]Running from a forked repo. Danger won't be able to post comments on the main repo unless GitHub Actions are enabled on the fork, too.\033[0m")
}

I guess logic could be added somewhere that, if it detects that the CI source is GitHub Actions and the PR is from a fork posts this comments.

Or, even better, when the API call to post a comment gets a 403 with message “Resource not accessible by integration”, checks the above conditions and post the warning. In this case, one could use ##[error] in the log and actually make the build fail. I’m not sure how to make the build fail, just logging ##[error] is not enough. Maybe a throw?

mokagio on Jun 18, 2020

Also worth trying to use the Danger checks implementation on a forked PR as @stof mentioned

I tried it with this commit, same result, see the build here.

Request failed [403]: https://api.github.com/repos/wordpress-mobile/WordPress-iOS/check-runs
Response: {
  "message": "Resource not accessible by integration",
  "documentation_url": "https://developer.github.com/v3/checks/runs/#create-a-check-run"
}

I also tried to use a custom public_repo token, as per the docs.

A PR from the base repo works as expected. A PR from a forked repo fails saying there’s no token. My guess would be that despite running on the base repo, it accesses the environment of the forked repo, where no token exists.

mokagio on Jun 19, 2020

Well, there should be a mode where danger-js reports things using the Github Actions reporting system (sending some logs to the output of the script, with some special formats in it to achieve some actions like adding annotations, if needed) instead of adding a comment. Then, it would be usable in actions directly. Github Actions already have a reporting UI integrated in Gtihub.

stof on Apr 1, 2020

you can write to stdout (and use the exit code to indicate failure)

stof on Oct 18, 2019