Limitations of the PR preview GITHUB_TOKEN permission heuristic
#1,572 opened on Apr 30, 2021
Repository metrics
- Stars
- (910 stars)
- PR merge metrics
- (Avg merge 16d 9h) (3 merged PRs in 30d)
Description
The heuristic implemented in #1567 to check whether GITHUB_TOKEN actually has a write permissions does not work in some non-standard configurations. E.g.
- When the destination repository is different from the code repository (e.g. AbstractPlotting deploying to MakieDocumentation).
In those cases, the GITHUB_TOKEN check fails with a warning like
┌ Warning: Unable to verify if PR comes from destination repository
└ @ Documenter ~/.julia/packages/Documenter/6gbbg/src/deployconfig.jl:531
and deploydocs will attempt to deploy, just in case. If that deploy fails, e.g. if it is a PR from a fork, it will throw and likely fail the CI build (so you can still run into #1534).
What would help here are:
- Make the heuristic smarter. Or perhaps not throwing on PR preview deploy failures at all?
- Improve the error message.
Workaround. If you do run into this, a way to avoid spurious CI failures is to do your own check whether deployment should occur in make.jl. For example, if you are anyway using DOCUMENTER_KEY for authentication, you could use this pattern
isempty(get(ENV, "DOCUMENTER_KEY", "")) || deploydocs(...)
to avoid running deploydocs on PRs from forks.