Skip to content

Provide a better troubleshooting message when used from a 3P PR #202

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
woodruffw opened this issue Dec 26, 2023 · 0 comments · Fixed by #203
Closed

Provide a better troubleshooting message when used from a 3P PR #202

woodruffw opened this issue Dec 26, 2023 · 0 comments · Fixed by #203

Comments

@woodruffw
Copy link
Member

Per conversation in python-pillow/Pillow#7616, there's an edge case we can provide a more descriptive error on: if the publishing workflow uses pull_request events and the event comes from a branch on a fork (rather than the upstream repo itself), then GitHub won't grant the id-token: write permission even if it's listed explicitly.

There's no workaround for this (and there can't be, without breaking GitHub's fork security model), but we can at least improve the error message in this case by detecting the following conditions:

When both of these are true, we could render a modified error message, like:

The pull request that triggered this workflow originated from a fork, which means that it doesn't have access to the `id-token: write` permission used by Trusted Publishing.

GitHub does not have a workaround for this. Consider using a different event instead (such as release or tag creation), or restricting this workflow's runs to first-party pull requests.
@woodruffw woodruffw mentioned this issue Dec 31, 2023
Merged
webknjaz added a commit that referenced this issue Feb 27, 2024
@woodruffw @webknjaz
Clarify the error during OIDC exchange on PRs from forks
e53eb8b 
This specializes the token retrieval error handling, providing an
alternative error message when the error cause is something
that we know can't possibly work due to GitHub's own restrictions
on PRs from forks.

PR #203
Closes #202
Ref python-pillow/Pillow#7616

Co-authored-by: Sviatoslav Sydorenko <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

oidc-exchange: specialize error on PRs from forks woodruffw-forks/gh-action-pypi-publish
1 participant
@woodruffw