Replies: 20 comments 7 replies
-
Hi, I face the same problem today. In my case, following the examples provided by the official documentation (https://docs.github.com/en/actions/learn-github-actions/variables#using-the-vars-context-to-access-configuration-variable-values), we use a Configuration Variable to declare the Runner used by the workflow. Not having access to the related runner variable always generates an error for PR created from fork or by Dependabot. Workflow definition: https://github.com/process-analytics/bpmn-visualization-js/blob/49315fa7136776a29053b6724f867329a919a5b7/.github/workflows/dependency-review-pr.yml#L12-L15 jobs:
dependency-review:
runs-on: ${{ vars.RUNNER_UBUNTU }}
|
Beta Was this translation helpful? Give feedback.
-
The One of the reason to not allow variables available in forked PRs We are still exploring this area and taking feedback on the behaviour. |
Beta Was this translation helpful? Give feedback.
-
I fully support the restriction on Secrets. But please make Variables available to public Pull Request Workflows!! 🙏🏾 |
Beta Was this translation helpful? Give feedback.
-
At the very least, the Variables documentation needs to be updated to mention that variables are not available to pull requests. I spent an hour reviewing docs and debugging why variables were not appearing in my PR actions only to find an obscure reference in this discussion. |
Beta Was this translation helpful? Give feedback.
-
This took me lots of time to figure out that the variables are not available for pull request scope. And +1 to the opinion that it makes this feature useless. |
Beta Was this translation helpful? Give feedback.
-
FFS, please fix this. What's even the point of variables instead of secrets when they are not accessible in PR runs. Or just give us a goddamn setting whether a variable should be accessible or not... |
Beta Was this translation helpful? Give feedback.
-
I was recently excited to think of using org-level variables to define the versions of Python all of octoDNS's CI jobs should run against so that we can avoid ~30 PRs ever time active versions change. I went through and implemented a setup that does exactly what I wanted octodns/octodns#1081 (comment) and it worked perfectly for my PRs, but as soon as I went to work on a 3rd party PR it failed. i'd assumed that "variables" would be available to the forks since they're not "secrets" or at all sensitive, otherwise what's the purpose of having a separate category. I definitely do not want the PRs to have a RW github token, so Are there any updates/plans here. Not looking forward to unwind all 30 PRs assuming there's no way to get the value to PRs from forks. |
Beta Was this translation helpful? Give feedback.
-
This issue has been frustrating me for months. 95% of my workflow runs are triggered by pull requests from forked repos and I have no way to get CI control info without having a file in the repo, which isn't safe, or making a REST call to retrieve a file from some other location, which isn't convenient. I don't understand why there's no facility to do this. If you've got something secret, it should be in secrets. |
Beta Was this translation helpful? Give feedback.
-
I have this exact same issue. :( |
Beta Was this translation helpful? Give feedback.
-
Just spent an hour trying to figure this out as well. I have a CI pipeline that works fine when I do PRs from the same repo. But then someone submits a PR from their fork and neither the environment variables nor the repository variables expand properly and it breaks. I don't understand how to support other people submitting PRs from their forks without this feature. |
Beta Was this translation helpful? Give feedback.
-
If forks cannot inherit repository variables from the upstream repository, then repository variables are broken by design. Why do they exist? Please fix this. Repository variables would be great if they worked the way everyone expects them to work, not the way someone who implemented them thought they should work. |
Beta Was this translation helpful? Give feedback.
-
This is ridiculous and makes us reconsider using GitHub for alternatives, since the forks system is the reason we choose GitHub originally |
Beta Was this translation helpful? Give feedback.
-
Unfortunately, the current behavior of configuration variables limits the ability to perform proper checks when creating a pull request from a fork. This is certainly not an ideal situation if we consider any workflow that uses forks. |
Beta Was this translation helpful? Give feedback.
-
Is having variables as part of environment and using specific environments for jobs a good workaround for this? |
Beta Was this translation helpful? Give feedback.
-
Any movement on this? |
Beta Was this translation helpful? Give feedback.
-
Good lord I just wasted four hours because the docs still don't mention that the Context access for "vars" isn't scoped to PRs. I don't understand why this restriction was made; at the very least, please update the docs. |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
At least allow a member of the repository to trigger a workflow in a PR coming from a fork, so that it can inherit those permissions. Right now, not being able to read the variables at all is a blocking issue with no workaround, since pull_request_target is not a workaround for this. |
Beta Was this translation helpful? Give feedback.
-
I just got bit by this again (my previous project adopted the practice of not using forks in part because of this problem; I've moved to a new project where we use forks, and ran straight into this when I tried to borrow workflows from my old project). There are so many ways to improve this situation (control access to As things stand, we have to choose between using forks or using |
Beta Was this translation helpful? Give feedback.
-
+1 to people who have lost an hour+ to this issue. Please fix! |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Product Feedback
Body
The new Configuration Variables feature is great! I'm baffled about their visibility scope, though.
They could/should be passed to workflows triggered by a pull request from a fork.
Why?
Beta Was this translation helpful? Give feedback.
All reactions