-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secret created in Upstream Repo instead of Current Repo #4688
Comments
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
@brwilkinson Sorry that this wasn't more clear. GitHub CLI has a concept of a "base repository" where most gh operations should be targeted to, and by default the base repository is the parent of the fork. This isn't always desirable and the way to override it is using Like you pointed out, we should just default to the Ref. #3304 |
Thanks @mislav
Yes that makes the most sense, I haven't tested it very much, however I may not have access to upstream on a fork that I am working on anyway, I guess the secret creation may fail in that case? Anyway, if this is a duplicate feel free to close as such. In the meantime, I will continue to use the workaround. |
This is bad and should be resolved. It makes my CI create releases on the upstream repo where I don't want it because I am only testing it on my personal fork. This should not happen. It should default to origin I think and be an explicit option and documented on the help. |
This fix uses the hidden --release flag of the github cli tool to create a release on the repository on which the pipeline is running and not the one that it was forked from. The github cli tool asks in interactive mode where to create the release but defaults to the upstream which can lead to an unwanted official release during testing as it happened to me. With this fix this tool will default to origin which I assume is the only sensible approach in a pipeline because origin presumably is the one that the pipeline is running on. - cli/cli#4688 - Closes CircleCI-Public#12
This is super confusing, and could cause serious security issues. I was creating secrets in my fork (on my personal fork), and the secrets got uploaded to the original repo (which belongs to my company). |
This fix uses the hidden --release flag of the github cli tool to create a release on the repository on which the pipeline is running and not the one that it was forked from. The github cli tool asks in interactive mode where to create the release but defaults to the upstream which can lead to an unwanted official release during testing as it happened to me. With this fix this tool will default to origin which I assume is the only sensible approach in a pipeline because origin presumably is the one that the pipeline is running on. - cli/cli#4688 - Closes CircleCI-Public#12
Thanks for the feedback, everyone. Since this is tripping up a lot of folks, I will re-label this as a bug so we can handle it accordingly. To clarify: if you were operating from the context of a GitHub fork (e.g. either there is a single Note that right now you can use |
Thank you @mislav - for me this should always be the origin by default (see my commit just above on my own project). |
This fix uses the hidden --release flag of the github cli tool to create a release on the repository on which the pipeline is running and not the one that it was forked from. The github cli tool asks in interactive mode where to create the release but defaults to the upstream which can lead to an unwanted official release during testing as it happened to me. With this fix this tool will default to origin which I assume is the only sensible approach in a pipeline because origin presumably is the one that the pipeline is running on. - cli/cli#4688 - Closes #12 Co-authored-by: Timo Kramer <info@lambdaforge.io>
Thank you for everyone's patience while we discuss this. We decided to remove the "magic" repo resolution from
We believe that such approach would eliminate ambiguity and make it hardly possible for a user to accidentally send secrets to the wrong repository. |
@samcoe @andyfeller is this open for contributions? |
@wingleung : open to revisiting this with @williammartin given that all the former GitHub CLI maintainers involved have left GitHub and moved onto other pursuits. Where is the actual bug?Looking at #4688 (comment), the following logic for resolving the base repository is blindly picking the first remote: Lines 168 to 197 in 4b077da
cli/pkg/cmd/factory/default.go Lines 47 to 55 in 4b077da
Rather than a change in |
another alternative could be to get the remote from the current branch ➜ git rev-parse --abbrev-ref --symbolic-full-name @{u}
origin/add-remote-check-to-secret-and-variable ☝️ we now know the local branch is tracking still kind of seems like magic so I'm leaning towards being more verbose and forcing the user to provide a |
I like the thinking outside of the box while recognizing its magical nature might clash with security concerns of setting secrets in the appropriate place ❤ |
🙏 come to think of it, handling secrets and variables is a repo specific thing, not a branch specific one. So depending on branches might not be a good idea here. Especially for cases where the user creates new local branches |
CLI Feedback
When creating secrets, they were unexpectantly created in an Upstream repo.
So this means that when creating a secret I have to do the following ?
I would prefer it the secret was created in the Repo that I am currently in?!
The text was updated successfully, but these errors were encountered: