Skip to content

Revert label & env based external contributor CI workflows #181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ghostwriternr merged 2 commits into from
Oct 31, 2025
Merged

Revert label & env based external contributor CI workflows #181

ghostwriternr merged 2 commits into from
Oct 31, 2025

Conversation

@ghostwriternr
Copy link
Member

@ghostwriternr ghostwriternr commented Oct 31, 2025

No description provided.

@ghostwriternr ghostwriternr self-assigned this Oct 31, 2025
@changeset-bot
Copy link

changeset-bot bot commented Oct 31, 2025

⚠️ No Changeset found

Latest commit: b8dc1f6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@ghostwriternr ghostwriternr merged commit 17d2a4d into main Oct 31, 2025
6 of 8 checks passed
@ghostwriternr ghostwriternr deleted the revert-env-ci branch October 31, 2025 12:07
@claude
Copy link
Contributor

claude bot commented Oct 31, 2025

Claude Code Review

Critical Issue: External PR workflows will break

This PR reverts from pull_request_target to pull_request, which will break CI for external contributors:

The Problem

  1. pullrequest.yml requires CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID for E2E tests (.github/workflows/pullrequest.yml:138-139, :164-165)
  2. pkg-pr-new.yml requires DOCKER_HUB_USERNAME and DOCKER_HUB_ACCESS_TOKEN (.github/workflows/pkg-pr-new.yml:72-73)
  3. claude-code-review.yml requires ANTHROPIC_API_KEY (.github/workflows/claude-code-review.yml:35)

With pull_request, external forks cannot access repository secrets, so these workflows will fail immediately for any external contributor.

Two Options

Option A: Keep pull_request_target with environment approval (previous approach)

  • Pros: Workflows work for external contributors after manual approval
  • Cons: Requires manual gate-keeping

Option B: Accept broken external contributor workflows (this PR)

  • Pros: No manual approval needed for internal PRs
  • Cons: External contributors can't run CI at all - maintainers must checkout and test locally

Recommendation

If the project accepts external contributions, revert this change and keep the external-pr environment approval system. It's the only way to safely give external PRs access to secrets.

If external contributions are rare/not expected, this PR is acceptable but should document that external PRs won't have CI feedback.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 31, 2025
edited
Loading

🐳 Docker Image Published

FROM cloudflare/sandbox:0.0.0-pr-181-5c049f9

Version: 0.0.0-pr-181-5c049f9

You can use this Docker image with the preview package from this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@ghostwriternr ghostwriternr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ghostwriternr