document some of the pitfalls of using private or internal reusable workflows in a public repo #35735
Comments
jsoref
added
the
content
github-actions
bot
added
the
triage
nguyenalex836
added
actions
|
@jsoref Thank you for raising this issue! I'll get this triaged for review ✨ Our team will provide feedback regarding the best next steps for this issue - thanks for your patience! 💛 |
This comment was marked as spam.
This comment was marked as spam.
subatoi
added
the
needs SME
|
Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀 |
This would only apply to forks of private and internal repositories right? If the upstream repository is public, it wouldn't be able to use private or internal reusable workflows in the first replace - regardless of how access is configured. Additionally, the |
nguyenalex836
added
SME reviewed
|
It happens to me for this repository on a regular basis: I naively assumed that the workflow works for githubers otherwise, why would they ship it? In retrospect, that was naïve. There are 11 pages of runs of this specific workflow failing 💯% of the time: And apparently, someone at GitHub got tired of the ❌ and manually disabled it. @joshmgross if you're on the GitHub actions team, then maybe you can take the specific workflow as input to provide a way for githubers and everyone else to avoid this situation. It didn't occur to me that there was no way for this to work. My understanding is that this repository is actually synced to another disconnected fork that's either private or internal. There are other ways to manage a disconnected fork where things like this aren't carried over to the public repositories, and there would be ways for a syncing tool to add a commit to delete the file if one didn't want to do something else. But... a way for public repositories in this position to not cause problems for downstream forks would be good. And, again, advice to people who do things like this to think about forks in public repositories. |
Code of Conduct
What article on docs.github.com is affected?
https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_iduses
What part(s) of the article would you like to see updated?
Add a warning
Warning
If you use
uses: my-org/other-repo/.github/actions/shared-action@mainthen anyone who would trigger the workflow (as determined byon: ...conditions) especially in forks, but quite likely not limited to forks and doesn't have access to yourmy-org/other-reporepository will encounter an unfixable error of this form:Invalid workflow file: .github/workflows/moda-ci.yaml#L86
error parsing called workflow ".github/workflows/moda-ci.yaml" -> "github/internal-actions/.github/workflows/docker_security.yml@main" : workflow was not found. See https://docs.github.com/actions/learn-github-actions/reusing-workflows#access-to-reusable-workflows for more information.It's possible to avoid this by using a combination of a
workflow_callwith ajobs:/if:condition that guards against the user from tripping on the problem e.g.${{ github.repository == 'github/docs-internal' }}and then have theon: workflow_callon the internal side be responsible for using the reusable workflow.Additional information
moda-ci.yamltriggers an error in forks for anyone who doesn't have access to github/docs-internal #35731The text was updated successfully, but these errors were encountered: