adding collaborators with write access to the destination repository is a way for the author of a pull request to gain elevated privileges
3.7 KiB
title | license |
---|---|
Managing dependencies between repositories | CC-BY-SA-4.0 |
Some Forgejo repositories that depend on each other have workflows that will trigger workflows on other repositories using the cascading-pr action.
Use cases and examples
Files copied from other repositories
setup-forgejo contains a copy of the forgejo-curl script. This script does not have numbered releases and the latest version is the one in the main branch.
forgejo-curl has a workflow that will open a pull request to setup-forgejo to update the forgejo-curl.sh script it contains. The forgejo-curl workflow will wait on the setup-forgejo workflow and fail if it does not pass, thus providing additional confirmation that the change under test won't break setup-forgejo once merged.
When the PR is merged in forgejo-curl, the corresponding PR in setup-forgejo is left open and ready to be merged with the latest version of the forgejo-curl.sh script.
Verifying an upgrade would work
setup-forgejo installs a runner by default, as specified in the action.yml file.
The runner has a workflow that will open a pull request to setup-forgejo to update the default version in the action.yml file. The runner workflow will wait on the setup-forgejo workflow and fail if it does not pass, thus providing additional confirmation that the change under test won't break setup-forgejo when it upgrades to using a release that contains the change.
When the PR is merged in forgejo-curl, the corresponding PR in setup-forgejo is closed. It is not meant to upgrade setup-forgejo because there is not yet a tag release published with this change.
Permissions
The cascading-pr action needs a token with write permissions on issues and repositories that will allow it to fork the destination repository and create a pull request from this fork. It also needs read permission on issues and pull requests for the origin repository.
The cascading-pr user is dedicated to providing such tokens.
For instance, a personal token named
https://code.forgejo.org/forgejo/forgejo-curl/
was created by the
cascading-pr user. This token was added as two secrets named
CASCADING_PR_ORIGIN
and CASCADING_PR_DESTINATION
in the
https://code.forgejo.org/forgejo/forgejo-curl/ repository.
Access to secrets
The workflow that contains the cascading-pr action needs access to the
secrets of the repository and must run on.pull_request_target
. For
instance:
on:
pull_request_target:
types:
- opened
- synchronize
- closed
Updating the workflow
When the cascading-pr workflow is added or updated in a repository, it
must be done in a PR from a branch of the repository and not than from
a forked repository. It runs on.pull_request_target
and if run from
a fork it will use the content of the default branch instead of the
proposed change.