For CI/CD-only GitHub mirrors, provide the option to run pipelines on PRs from forks
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem to solve
As a user running a CI/CD-only mirror of a GitHub project, I am running GitLab pipelines in response to PRs made on the GitHub project. The GitLab pipeline runs and then reports status back to the GitHub PR. However, this workflow only happens when the branch for the GitHub PR is pushed to the main project repository on GitHub, GitLab doesn't run pipelines when the branch for the GitHub PR is on a fork of the main project repository on GitHub. Since 95% of the contributions on the GitHub repository come from forks, I would love a GitLab option that would let me run pipelines when the GitHub PR came from a fork.
Here's the pipeline yaml I put in my GitHub project (which I then mirrored to a GitLab CI/CD only project):
pr_pipeline:
only:
- external_pull_requests
trigger:
project: my-gitlab-org/my-pipeline-project
strategy: dependThat triggers the pipeline defined in my-gitlab-org/my-pipeline-project for every PR created on my GitHub project, as well as every time a branch is pushed on an existing PR. It just doesn't run when the PR comes from a GitHub fork of my project. Instead, I can see in my GitHub webhooks that in response to the "PR opened" payload delivered to my GitLab instance by GitHub, GitLab sent back a 400 response with the body:
{"message":{"base":["Pull requests from fork are not supported"]}}instead of running a pipeline.
Intended users
I suspect any organization running a CI/CD only mirror of a GitHub project might find this feature useful.
User experience goal
The user should be able to make the decision as to whether they want code from untrusted developers (those creating GitHub PRs from their forks) to run on their GitLab CI infrastructure. So for instance, when creating a new CI/CD-only project from a GitHub mirror, the GitLab CI UI could provide a "Run pipelines on PRs from forks" checkbox that could warn me that by checking the box, I might open myself up to exposing CI secrets to untrusted developers, or that I might run the risk of someone using my runner to mine bitcoin. If I'm willing to accept those risks, then I'm free to check that box.