Skip to content

fix: skip GCP-authenticated CI checks for fork PRs#1287

Open
zeroasterisk wants to merge 1 commit intomainfrom
fix/ci-fork-pr-auth
Open

fix: skip GCP-authenticated CI checks for fork PRs#1287
zeroasterisk wants to merge 1 commit intomainfrom
fix/ci-fork-pr-auth

Conversation

@zeroasterisk
Copy link
Collaborator

@zeroasterisk zeroasterisk commented Mar 18, 2026

Problem

All pull requests from forks currently fail CI with this error:

google-github-actions/auth failed with: GitHub Actions did not inject
$ACTIONS_ID_TOKEN_REQUEST_TOKEN or $ACTIONS_ID_TOKEN_REQUEST_URL into
this job. This most likely means the GitHub Actions workflow permissions
are incorrect, or this job is being run from a fork.

Root Cause

The checks workflow (test_templated_agent.yaml) uses Workload Identity Federation via google-github-actions/auth@v3 to authenticate to GCP project adk-devops. It then pulls a private Docker container from Artifact Registry (europe-west4-docker.pkg.dev/production-ai-template/starter-pack/e2e-tests) to run the lint and test steps.

This authentication requires an OIDC identity token (id-token: write permission), which GitHub Actions only provides to workflow runs from branches within the same repository. For security reasons, GitHub does not inject OIDC tokens into workflows triggered by fork PRs. This is by design — it prevents fork PRs from accessing repository secrets or impersonating the repo's identity.

Impact

Every external contributor's PR fails CI, including:

The failures are not due to code quality issues — the code never gets a chance to be linted or tested. Contributors see a red ❌ with a cryptic GCP auth error, which is confusing and discouraging.

Note: The ruff-checks.yml workflow is not affected — it only uses GITHUB_TOKEN (which works fine on forks) and continues to provide lint feedback on all PRs.

What This PR Does

  1. Detects fork PRs in the discover-changed-agents job by comparing github.event.pull_request.head.repo.full_name against github.repository
  2. Skips the GCP-authenticated test-agent-template job when the PR comes from a fork (via an if condition)
  3. Adds a fork-pr-notice job that runs instead, printing a clear message explaining why the GCP checks were skipped

What Contributors See After This Change

  • Fork PRs: Ruff Format & Lint Suggestions ✅ runs normally, Fork PR Notice ✅ explains the situation, GCP checks are cleanly skipped (no red ❌)
  • Same-repo PRs: No change — all checks run as before with full GCP auth

Security Consideration

This PR does not expose any secrets or credentials to fork PRs. It simply prevents the workflow from attempting (and failing) to authenticate. The OIDC tokens and GCP credentials remain inaccessible to forks.

A maintainer can always re-run the full CI suite by pushing the fork's changes to a branch within this repository if GCP-authenticated testing is needed before merge.

Alternative Approaches Considered

  1. Add contributors with write access — works but doesn't scale for open-source contributions
  2. Use pull_request_target trigger — would give forks access to secrets, which is a known security anti-pattern (see GitHub docs)
  3. Run GCP checks post-merge — delays feedback too long

The approach in this PR (skip + notify) is the standard pattern used across Google open-source projects and is the safest option.

fix: skip GCP-authenticated checks for fork PRs
c2f621a 
Fork PRs cannot access OIDC tokens due to GitHub Actions security
restrictions. This causes google-github-actions/auth to fail with:

  'GitHub Actions did not inject $ACTIONS_ID_TOKEN_REQUEST_TOKEN'

Instead of failing with a confusing error, this change:
- Detects fork PRs in the discover step
- Skips the GCP-authenticated test-agent-template job for forks
- Adds a fork-pr-notice job with a clear explanation

The Ruff lint/format check (ruff-checks.yml) is unaffected and
continues to run on all PRs since it only needs GITHUB_TOKEN.
@google-cla
Copy link

google-cla bot commented Mar 18, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@zeroasterisk zeroasterisk requested a review from tpryan March 18, 2026 13:19
@zeroasterisk zeroasterisk added the github_actions Pull requests that update GitHub Actions code label Mar 18, 2026
@github-actions
Copy link

github-actions bot commented Mar 18, 2026

There is a problem with the Gemini CLI PR review. Please check the action logs for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tpryan tpryan Awaiting requested review from tpryan

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@zeroasterisk