From 0e8dfbd57d6cd5153b67b1b12f3ca7cd3a0198e7 Mon Sep 17 00:00:00 2001 From: Peter Evans <18365890+peter-evans@users.noreply.github.com> Date: Fri, 11 Mar 2022 13:46:10 +0900 Subject: [PATCH] docs: update guidelines --- docs/concepts-guidelines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/concepts-guidelines.md b/docs/concepts-guidelines.md index b3a8fb1..4430fc0 100644 --- a/docs/concepts-guidelines.md +++ b/docs/concepts-guidelines.md @@ -144,7 +144,7 @@ Pull requests created by the action using the default `GITHUB_TOKEN` cannot trig There are a number of workarounds with different pros and cons. -- Use the default `GITHUB_TOKEN` and allow the action to create pull requests that have no checks enabled. Manually close pull requests and immediately reopen them. This will enable `on: pull_request` workflows to run and be added as checks. (Adding `draft: true` and a note about a close-and-reopen cycle to the message in `body` may help prevent human merges of pull requests where needed workflows have not yet been run.) +- Use the default `GITHUB_TOKEN` and allow the action to create pull requests that have no checks enabled. Manually close pull requests and immediately reopen them. This will enable `on: pull_request` workflows to run and be added as checks. To prevent merging of pull requests without checks erroneously, use [branch protection rules](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/defining-the-mergeability-of-pull-requests). - Use a `repo` scoped [Personal Access Token (PAT)](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) created on an account that has write access to the repository that pull requests are being created in. This is the standard workaround and [recommended by GitHub](https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token). However, the PAT cannot be scoped to a specific repository so the token becomes a very sensitive secret. If this is a concern, the PAT can instead be created for a dedicated [machine account](https://docs.github.com/en/github/site-policy/github-terms-of-service#3-account-requirements) that has collaborator access to the repository. Also note that because the account that owns the PAT will be the creator of pull requests, that user account will be unable to perform actions such as request changes or approve the pull request.