Comments (3)
Thanks for the report and for using pkg-size!
I did some Googling for that error message and they all seem to point at a lack of permissions in the token.
Seems this is happening because it was executed via fork as per this security change: announcement, docs
The permissions for the GITHUB_TOKEN in forked repositories is read-only.
There doesn't seem to be an option to further specify allowing comments.
To work around:
- You can use a Personal Access Token (PAT) and add that to Secrets. The caveat is that the report will be posted by the account that owns the PAT.
- I'm reading
pull_request_target
has read + write permissions so it's possible to use that instead ofpull_request
, but it seems to run in thebase
context which I haven't tested yet.
from action.
Thanks for replying!
pull_request_target
trigger is in the BASE context. If we checkout the HEAD commit, the PR author may inject some malicious code into the "build" script in package.json, which will be executed by this github action. This is dangerous since the PR author can use the GITHUB_TOKEN
with write access to run any script. Here is an official guideline: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
As for the Personal Access Token, it seems to have the same security issue.
The guideline above mentioned a recommended solution: split the action into two parts. One for building, collecting package size data and uploading the result (using the pull_request
trigger). And the other for downloading the result and commenting it to PR (using the pull_request_target
trigger).
from action.
This seems like a common problem: https://github.community/t/token-permissions-for-forks-once-again/16468/6
It doesn't seem like there's a workaround to post comments from a fork.
I wonder if workflow_dispatch
can be used to manually trigger the action on approved PRs.
(FWIW since you seem to be security conscious, in general, using any 3rd party GitHub Action via tag is insecure.)
from action.
Related Issues (17)
- feat: check registry connection
- feat: option to upload build as artifact
- feat: add raw values via title attribute
- bug: pnpm to detect which version to use HOT 2
- feat: option to report on build time HOT 1
- feat: create groups (eg. only CSS)
- feat: add ability to specify triggering files
- bug: empty file interpreted as deleted
- feat: report undefined `files` array
- feat: monorepo support HOT 2
- feat: add token input
- feat: include unchanged files count next to collapsed label
- Include package path as option
- Use `packageManager` field in `package.json` to detect script runner automatically instead of relying on lockfile HOT 2
- Feature Request: Print output of the build command
- Warning about set-output deprecated HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from action.