Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix permissions issues for python-coverage-comment action step #217

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

MichaelRoytman
Copy link
Member

Description:

When a user without the proper permissions on the repository authors a commit, the python-coverage-comment step in the CI action fails because the user does not have permissions to post comments to the pull request.

In order to fix this, split the coverage step into two.

  1. In ci.yml, checkout the repository and generate and save the coverage comment that should be posted.
  2. In coverage.yml, publish the saved coverage comment to the pull request. For security reasons, we do not want to give permissions to the ci.yml action, because it checks out untrusted code. Coverage.yml is a trusted workflow that can post the saved coverage comment from the untrusted workflow.

JIRA:

None.

Pre-Merge Checklist:

  • Updated the version number in edx_name_affirmation/__init__.py if these changes are to be released. See OEP-47: Semantic Versioning.
  • Described your changes in CHANGELOG.rst.
  • Confirmed Github reports all automated tests/checks are passing.
  • Approved by at least one additional reviewer.

Post-Merge:

  • Create a tag matching the new version number.

When a user without the proper permissions on the repository authors a commit, the python-coverage-comment step in the CI action fails because the user does not have permissions to post comments to the pull request.

In order to fix this, split the coverage step into two.

1. In ci.yml, checkout the repository and generate and save the coverage comment that should be posted.
2. In coverage.yml, publish the saved coverage comment to the pull request. For security reasons, we do not want to give permissions to the ci.yml action, because it checks out untrusted code. Coverage.yml is a trusted workflow that can post the saved coverage comment from the untrusted workflow.
Copy link

github-actions bot commented Sep 9, 2024

Coverage report

This PR does not seem to contain any modification to coverable code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant