Skip to content

Only insert external repos token if supplied #368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
robertbrignull merged 2 commits into from
Jan 22, 2021
Merged

Only insert external repos token if supplied #368

robertbrignull merged 2 commits into from
Jan 22, 2021

Conversation

@robertbrignull
Copy link
Contributor

@robertbrignull robertbrignull commented Jan 19, 2021

Addresses a bug reported by @lcartey that we accidentally introduced in #357 which was breaking the workflow for people using a workaround we suggested at https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#accessing-private-repositories and also a version using a deploy key and rewriting to a SSH URL.

The PR changes it so we only insert the external repositories token into the URL if it is explicitly supplied and don't fall back to using the main github token. Also avoids adding in a double slash to the URL sometimes.

@chrisgavin do you think this is ok? Why was the falling back to the other token there? It's unlikely to have access to other repos. Was it just in case it did to avoid having to add the token argument twice?

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Confirm the readme has been updated if necessary.

@robertbrignull robertbrignull force-pushed the robertbrignull/external-token-fix branch from 7ae62cd to cb574a7 Compare January 19, 2021 16:28
chrisgavin
chrisgavin approved these changes Jan 20, 2021
View reviewed changes
Copy link
Contributor

@chrisgavin chrisgavin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Falling back to the other token is useful on GitHub Enterprise Server, where it will have access to all public repositories.

That said, I'm happy with the change. I think the implicit credentials should technically still work, so the fallback is still there; it's just in a different place.

@robertbrignull
Copy link
Contributor Author

robertbrignull commented Jan 20, 2021

I think the implicit credentials should technically still work, so the fallback is still there; it's just in a different place.

Could you explain what you mean here?

Also I now realise that I haven't actually tried testing that this fixes the bug. If the github token is being picked up through some other means there's a chance this won't fix anything.

@chrisgavin
Copy link
Contributor

chrisgavin commented Jan 20, 2021

The GITHUB_TOKEN is stored in the Git configuration of the runner automatically when you do a checkout so it will also be used for Git operations against external repositories even if we don't pass it explicitly.

@robertbrignull
Copy link
Contributor Author

robertbrignull commented Jan 22, 2021

I've tested this out in all possible configurations that I could think of and it seems to be working as expected.

@robertbrignull robertbrignull merged commit 484a9ad into main Jan 22, 2021
@robertbrignull robertbrignull deleted the robertbrignull/external-token-fix branch January 22, 2021 12:50
@github-actions github-actions bot mentioned this pull request Jan 25, 2021
Merged
This was referenced Apr 24, 2023
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@chrisgavin chrisgavin chrisgavin approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@chrisgavin chrisgavin

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@robertbrignull @chrisgavin