Why can't Github Actions workflows access secrets when triggered by a pull_request event?
#49
-
|
Hi everyone, Just getting started with github actions, probably overlooking something very silly. Any help would be appreciated. I followed the steps on this thread and followed your README, but I suspect github actions is not able to read my secrets. I'm trying to trigger a push to PyPI when a commit gets merged to my development branch, using the following workflow: name: Push code in dev branch to Test PyPI on merge
on:
pull_request:
branches: [ development ]
types: [closed]
jobs:
push-dev-code-to-test-pypi:
name: Push development branch to test PyPI
if: github.event.pull_request.merged == true
runs-on: ubuntu-latest
steps:
- name: Check-out development branch
uses: actions/checkout@v2
with:
ref: 'development'
- name: Setup Python
uses: actions/setup-python@v1
with:
python-version: 3.7
- name: Update pip
run: python -m pip install --user --upgrade pip
- name: Install pypa/build
run: >-
python -m
pip install
build
--user
- name: Build a binary wheel and a source tarball
run: >-
python -m
build
--sdist
--wheel
--outdir dist/
.
- name: Publish distribution to Test PyPI
uses: pypa/gh-action-pypi-publish@master
with:
user: __token__
password: ${{ secrets.TEST_PYPI_PASSWORD }}
repository_url: https://test.pypi.org/legacy/First I tried by adding the access token, that gave me the error: Warning: It looks like you are trying to use an API token to authenticate in the package index and your token value does not start with "pypi-" Although I'm pretty sure my secret started with pypi-. As an alternative I tried passing in the 'normal' username and password (replaced the token password by the normal one): with:
user: ${{ secrets.TEST_PYPI_USERNAME }}
password: ${{ secrets.TEST_PYPI_PASSWORD }}
repository_url: https://test.pypi.org/legacy/but also that did not work with the following message: HTTPError: 403 Forbidden from https://test.pypi.org/legacy/ Any idea why this is happening? Could it have something to do with that the workflow is triggered on the development branch, and not on master? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
You run your workflow in the context of a If you'll use the |
Beta Was this translation helpful? Give feedback.
-
|
Ah yes that makes a lot of sense, thanks for the quick reply! I'll try it out some time this evening. |
Beta Was this translation helpful? Give feedback.
You run your workflow in the context of a
pull_requestevent. They are executed in an untrusted mode because a PR branch may have malicious code added by a submitter. Therefore, GitHub does not allow access to secrets for such events: https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets#using-encrypted-secrets-in-a-workflowIf you'll use the
pushevent, as shown in the guide, it will work as long as the event happens within the upstream repo (not in forks).