New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: run CI on PRs from forks #399
Conversation
Codecov Report
@@ Coverage Diff @@
## master #399 +/- ##
=======================================
Coverage 93.85% 93.85%
=======================================
Files 1 1
Lines 586 586
=======================================
Hits 550 550
Misses 36 36
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report at Codecov.
|
on: | ||
push: | ||
branches: | ||
- master |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Weird. We always used to run on pull requests. When did we stop doing that, @mroderick? I don't claim to remember the specifics, but AFAIK we decided not to run the saucelabs tests on prs to avoid the risk of the credentials being exposed. Someone could do P.S. Didn't get the reference to 398. |
No CI runs there since it's from a fork |
Yeah I agree running CI on forks is a bit dangerous - I think PRs whose author has the commit bit or PRs with a specific GitHub label (since only project members can add those) might be a good tradeoff? |
Note that GH by default doesn't run CI for people who are first time contributors (https://github.blog/changelog/2021-04-22-github-actions-maintainers-must-approve-first-time-contributor-workflow-runs/) if that helps. The current situation is not really tenable as it places the burden of testing everything CI does on the person merging a PR |
OK, if that is the case, then I think this should merge. I think we should do the same with Sinon TBH. Should some pre-approved committer then expose those credentials, it is always possible to create a new token. |
Oh, and ref people logging out the secret
|
@SimenB the thing is - either browser tests run or don't run on CI.
Worst case like Carl said - the secret leaks and we'll replace the token - it's just a saucelabs account not the npm publish token :) |
Purpose (TL;DR) - mandatory
CI is not running - see #398