Skip to content

fix: remove fossa restriction on forks #3953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 14, 2025
Merged

fix: remove fossa restriction on forks #3953

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -375,7 +375,7 @@ jobs:
name: Run Fossa
runs-on: ubuntu-latest
needs: install
if: ${{ !github.event.pull_request.head.repo.fork && github.repository_owner == 'codecov' }}
if: ${{ github.repository_owner == 'codecov' }}
Copy link

@sentry sentry bot Nov 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: FOSSA job fails on fork PRs due to unavailable secrets.FOSSA_API_KEY.
Severity: CRITICAL | Confidence: 0.95

🔍 Detailed Analysis

The FOSSA job will fail when triggered by pull requests originating from forked repositories. This occurs because GitHub Actions intentionally provides an empty string for secrets.FOSSA_API_KEY on pull_request events from forks. The change removed the if: ${{ !github.event.pull_request.head.repo.fork }} condition, allowing the job to run on forks without a valid API key, leading to failure.

💡 Suggested Fix

Implement a mechanism to handle unavailable secrets on fork PRs, such as using pull_request_target, GitHub Environments, FOSSA's push-only API token, or conditional logic to skip the API key step.

🤖 Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/ci.yml#L378

Potential issue: The FOSSA job will fail when triggered by pull requests originating
from forked repositories. This occurs because GitHub Actions intentionally provides an
empty string for `secrets.FOSSA_API_KEY` on `pull_request` events from forks. The change
removed the `if: ${{ !github.event.pull_request.head.repo.fork }}` condition, allowing
the job to run on forks without a valid API key, leading to failure.

Did we get this right? 👍 / 👎 to inform future reviews.

Reference_id: 2688885

steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down
Loading