-
Notifications
You must be signed in to change notification settings - Fork 524
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ci] CircleCI Test skipping Danger due to access #1143
Comments
Just an observation. Not sure if anyone relies on it. I first noticed it in #1085 (comment) in what should've triggered a danger, but went silent. 🤷♂️ |
Hey @janbrasna 👋 Interesting find. This was added here: #288 but I don't know the rationale behind it. It probably made sense back then, but it doesn't anymore. I'll invite @nafu to take a look at this and shed some light if he can 🙇 But I think we can safely move forward with the removal of that silent failure. I checked and current master of this repo passes on Danger 👌 I'll go ahead and remove the fallback that causes the silent failure 😊 Nice spotting! |
Here it is #1144 Thanks for opening this issue @janbrasna ! 🤗 |
Ah… Now I get what's going on in CI haha nevermind my comments above about it succeeding in danger. I ran a dry_run locally, only. We'll need to figure out the GitHub Token situation, which's not trivial since this is an open source repo and danger kinda self-protects repos from exposing Do you know what needs to be changed there? I haven't dug further into danger's set up, but I'm assuming DANGER_GITHUB_API_TOKEN isn't set in our CI for that reason |
This comment was marked as outdated.
This comment was marked as outdated.
From what I see in the PRs, those opened by a bot these days have a others don't: 🤷♂️ So maybe the right way is to move it outside the CircleCI and keep it as a separate check only? However I don't have enough visibility into when that check is triggered by the fastlane bot TBH… |
Or actually it seems that PRs opened by @fastlane members have the |
Hi @janbrasna , since my last comment in this thread I've acquired more knowledge on the topic and am capable of clarifying what we're seeing the behavior you described in your last comment here 😊 ☝️
This is a security feature. The technical difference is "PRs coming from forks" vs "PRs opened within this repo", I think. This prevents users from creating PRs from forks from executing arbitrary code (e.g. introducing a new script that Each CI has their own mechanism to prevent this from happening, so the solution to this problem will be a solution specific for Circle CI, and not e.g. danger itself. Looks like this could be a good starting point: https://circleci.com/blog/triggering-trusted-ci-jobs-on-untrusted-forks (I didn't read it yet, I just found this) |
Missing
DANGER_GITHUB_*
tokens, Danger fails with:results of: bundle exec danger || echo "danger failed, moving on"
e. g. Test3130:
The text was updated successfully, but these errors were encountered: