Skip to content

ghcr.io Push Job Fails on PRs from External Forks due to Insufficient Permissions #415

New issue
New issue
Open
Bug
Open
ghcr.io Push Job Fails on PRs from External Forks due to Insufficient Permissions#415
Bug
Assignees
termoshtt
@termoshtt

Description

@termoshtt
termoshtt
opened on Apr 15, 2025

The Problem

Currently, when a Pull Request (PR) is created, a GitHub Actions workflow runs to build a container image and push it to ghcr.io for testing purposes.

However, for Pull Requests originating from external repositories (forks), the permissions granted to the GITHUB_TOKEN available to the workflow are restricted. It lacks the necessary permissions (or access to secrets like a CR_PAT stored in repository secrets) required to write/push to ghcr.io.

Consequently, the relevant job fails as like #413 . The failure message often isn't explicit about the permission issue, leading to confusing failures ("unclear failures"). This causes confusion for PR reviewers and contributors and results in unnecessary CI failures.
https://github.com/Jij-Inc/ommx/actions/runs/14458749821/job/40551468870?pr=413

Conditions for Occurrence

  • The GitHub Actions workflow is triggered by the pull_request event.
  • The Pull Request originates from an external fork of the repository.
  • The workflow includes a job (or step) that attempts to push a container image to ghcr.io.

Proposed Solution

Modify the workflow to prevent the job (or step) that pushes to ghcr.io from running on Pull Requests from external forks.

Specifically, use the job's conditional execution (if) feature in the workflow. Check the value of github.event.pull_request.head.repo.fork and skip the job if it's true (indicating a PR from a fork).

Example:

jobs:
  build-and-push-image:
    # Run this job only if it's not a PR from a fork
    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.fork == false
    runs-on: ubuntu-latest
    steps:
      # ... checkout code ...
      # ... build image ...
      - name: Push to ghcr.io
        # ... steps to push image ...

Goal / Motivation

  • Streamline the Pull Request process for external contributors.
  • Prevent unnecessary CI failures and avoid confusion.
  • Save CI resources.

Acceptance Criteria

  • The ghcr.io push job does not run (is skipped) for Pull Requests originating from fork repositories.
  • The ghcr.io push job runs (as before) for Pull Requests originating from branches within the same repository.
  • The job runs correctly for other triggers (e.g., pushes to specific branches, if applicable) that are not pull_request events from forks.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions