Allow moderated secrets usage on PRs from forks #893
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR implements the approach recommended by this article from Github's ‘Security Lab’ to allow the usage of secrets on PRs from forks of the
message_ix
repository.main
.workflow_run:
event trigger. Invoke this trigger every time the "receive" workflow completes (success or failure).pytest
andtutorials
jobs if the "receive" workflow failed.With this merged, it would be up to some user with ‘write’ permissions on the current repo to give a first look-over of any PR from and then add the "safe to test" label. (The label could also be removed again at any time.)
How to review
Per the documentation:
This means we will need to:
.util.sankey
and tutorial #770 was suggested).pytest
workflow is invoked and runs successfully; if not, open a follow-up PR to adjust the workflow(s).PR checklist
Add or expand tests; coverage checks both ✅N/A; CI changes onlyAdd, expand, or update documentation.Update release notes.