关于GitHub Action fork pr自动化部署的问题
GitHub项目的fork pr 触发的Action 是无法获取到 secrets 的,这是GitHub出于安全考虑进行的限制,另外测试了GITHUB_TOKEN 的权限,设置 permissions 为 write-all (自动包含了读)仍然无法进行对库自动创建分支以及自动merge ,会报: Error: Resource not accessible by integration 的错误。
所以这里采用另外的一种方式实现:在fork pr 时触发自动化生成pr代码的 artifact ,然后再手动输入 fork pr number 的方式手动去触发一个流程,手动触发的流程是可以使用 secrets 的。
name: Upload fork pr files
on:
pull_request:
branches:
- '**'
paths:
- 'packages/**'
jobs:
upload-fork-pr-files:
if: github.event.pull_request.head.repo.fork == true
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- uses: actions/upload-artifact@v3
with:
name: pr_files
path: ./name: manual_down_deploy_pr
# deploy_host
# deploy_host_username
# deploy_host_password
on:
workflow_dispatch:
inputs:
pr_number:
description: 'fork pr number is '
required: true
jobs:
up_deploy:
runs-on: ubuntu-latest
steps:
- name: Download artifact
id: download-artifact
uses: dawidd6/action-download-artifact@v2
with:
# Optional, GitHub token, a Personal Access Token with `public_repo` scope if needed
# Required, if the artifact is from a different repo
# Required, if the repo is private a Personal Access Token with `repo` scope is needed
github_token: ${{secrets.GITHUB_TOKEN}}
# Optional, workflow file name or ID
# If not specified, will be inferred from run_id (if run_id is specified), or will be the current workflow
workflow: upload_fork_pr_files.yml
# Optional, the status or conclusion of a completed workflow to search for
# Can be one of a workflow conclusion:
# "failure", "success", "neutral", "cancelled", "skipped", "timed_out", "action_required"
# Or a workflow status:
# "completed", "in_progress", "queued"
# Use the empty string ("") to ignore status or conclusion in the search
workflow_conclusion: success
# Optional, will get head commit SHA
pr: ${{ inputs.pr_number }}
# Optional, no need to specify if PR is
# commit: ${{github.event.pull_request.head.sha}}
# Optional, will use the specified branch. Defaults to all branches
# branch: master
# Optional, defaults to all types
# event: push
# Optional, will use specified workflow run
# run_id: 1122334455
# Optional, run number from the workflow
# run_number: 34
# Optional, uploaded artifact name,
# will download all artifacts if not specified
# and extract them into respective subdirectories
# https://github.com/actions/download-artifact#download-all-artifacts
name: pr_files
# Optional, a directory where to extract artifact(s), defaults to the current directory
# path: extract_here
# Optional, defaults to current repo
# repo: ${{ github.repository }}
# Optional, check the workflow run to whether it has an artifact
# then will get the last available artifact from the previous workflow
# default false, just try to download from the last one
# check_artifacts: false
# Optional, search for the last workflow run whose stored an artifact named as in `name` input
# default false
search_artifacts: false
# Optional, choose to skip unpacking the downloaded artifact(s)
# default false
skip_unpack: false
# Optional, choose how to exit the action if no artifact is found
# can be one of:
# "fail", "warn", "ignore"
# default fail
if_no_artifact_found: fail
- name: ssh deploy
uses: appleboy/ssh-action@master
env:
pr_number: ${{ inputs.pr_number }}
with:
host: ${{ secrets.deploy_host }}
username: ${{ secrets.deploy_host_username }}
password: ${{ secrets.deploy_host_password }}
# 部署的脚本
script: |
ls About workflows - GitHub Docs
Get a high-level overview of GitHub Actions workflows, including triggers, syntax, and advanced features.
GitHub Marketplace: actions to improve your workflow
Find the actions that help your team build better, together.
