Skip to content

Skip Sourcery review job for fork-originated pull requests#517

Merged
kimocoder merged 2 commits into
masterfrom
copilot/fix-sourcery-workflow-fork-issue
May 21, 2026
Merged

Skip Sourcery review job for fork-originated pull requests#517
kimocoder merged 2 commits into
masterfrom
copilot/fix-sourcery-workflow-fork-issue

Conversation

Copy link
Copy Markdown

Copilot AI commented May 21, 2026
edited
Loading

Check PR using Sourcery fails on fork PRs because pull_request workflows do not receive repository secrets, so secrets.WIFITE is empty and Sourcery is invoked with a missing --token value. This change prevents the job from running when the PR head repo is not the base repo.

  • Workflow gating

    • Added a job-level condition to review-with-sourcery in .github/workflows/checkpr-sourcery.yml:
      • run only when github.event.pull_request.head.repo.full_name == github.repository
    • Keeps Sourcery active for in-repo PR branches (where secrets are available) and skips fork PRs cleanly.

  • Scope

    • Single-file change: .github/workflows/checkpr-sourcery.yml
    • No other workflow logic or repository files were modified.
jobs:
  review-with-sourcery:
    if: github.event.pull_request.head.repo.full_name == github.repository
    runs-on: ubuntu-latest
Original prompt

The Check PR using Sourcery workflow (.github/workflows/checkpr-sourcery.yml) fails on pull requests from forks with:

Error: Option '--token' requires an argument.
##[error]Process completed with exit code 2.

Cause

The workflow uses on: pull_request and passes token: ${{ secrets.WIFITE }} to the sourcery-ai/action@v1 step. GitHub Actions does not expose repository secrets to workflows triggered by pull_request events from forked repositories, so secrets.WIFITE resolves to an empty string. The Sourcery action then invokes its CLI with --token followed by no value, causing the error above. This is currently breaking PRs such as #510 (from a fork).

Fix (Option 1 — skip on fork PRs)

Add a job-level if condition so the Sourcery review job only runs when the PR head repository is the same as the base repository (i.e., not a fork), where secrets are available.

Update .github/workflows/checkpr-sourcery.yml to:

name: Check PR using Sourcery
permissions:
  contents: read

on: pull_request

jobs:
  review-with-sourcery:
    # Secrets are not available for PRs from forks, so skip Sourcery in that case.
    if: github.event.pull_request.head.repo.full_name == github.repository
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6.0.2
        with:
          fetch-depth: 0

      - uses: actions/setup-python@v6.2.0
        with:
          python-version: '3.11'

      - uses: sourcery-ai/action@v1
        with:
          token: ${{ secrets.WIFITE }}
          diff_ref: ${{ github.event.pull_request.base.sha }}

Acceptance criteria

  • Only .github/workflows/checkpr-sourcery.yml is modified.
  • The review-with-sourcery job has an if: expression that skips it when the PR head repo is not the same as the base repo.
  • No other workflow changes, no formatting changes elsewhere.
  • YAML is valid and the workflow continues to run for PRs from branches within kimocoder/wifite2.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: How to fix the sourcery workflow?

Assistant: The Sourcery workflow is failing with:

Error: Option '--token' requires an argument.
##[error]Process completed with exit code 2.

Root cause

In .github/workflows/checkpr-sourcery.yml the action is invoked with:

token: ${{ secrets.WIFITE }}

The secret WIFITE is empty (or unavailable in this context), so the Sourcery action ends up calling its CLI with --token followed by no value, which causes the "Option '--token' requires an argument" error.

There are two common reasons the secret resolves to an empty string:

  1. The secret doesn't exist in the repository (or it's named differently — Sourcery's docs use SOURCERY_TOKEN).
  2. The PR comes from a fork. Secrets are not exposed to workflows triggered by pull_request events from forks, so ${{ secrets.WIFITE }} is empty. PR Improve cracking command output and config defaults #510 is from a fork (Ashcal9669:masterkimocoder:master), which is exactly the case here.

How to fix it

Pick one of these approaches:

Option 1 — Skip Sourcery on fork PRs (recommended, simplest)

Guard the job so it doesn't run when no token is available:

name: Check PR using Sourcery
permissions:
  contents: read

on: pull_request

jobs:
  review-with-sourcery:
    # Only run for PRs from the same repo (where secrets are available)
    if: github.event.pull_request.head.repo.full_name == github.repository
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6.0.2
        with:
          fetch-depth: 0

      - uses: actions/setup-python@v6.2.0
        with:
          python-version: '3.11'

      - uses: sourcery-ai/action@v1
        with:
          token: ${{ secrets.WIFITE }}
          diff_ref: ${{ github.event.pull_request.base.sha }}

You can also add a step-level guard if: env.TOKEN != '' if you'd rather keep the job running for other steps.

Option 2 — Use pull_request_target so secrets are available

Replace on: pull_request with on: pull_request_target. ⚠️ This exposes secrets to PRs from forks, so do not check out and execute untrusted PR code. For Sourcery (which only reads the diff) this is generally safe, but be careful if you add other steps.

Option 3 — Verify the secret exists and is named correctly

Go to Settings → Secrets and variables → Actions in kimocoder/wifite2 and confirm a secret named WIFITE exists and contains a valid Sourcery token. The Sourcery docs suggest naming it SOURCERY_TOKEN; if you rename it, update the workflow accordingly:

token: ${{ secrets.SOURCERY_TOKEN }}

For PR #510 specifically, the workflow will keep failing until either (a) the workflow is changed to skip fork PRs (Option 1), or (b) it's switched to pull_request_target (Option 2). Even if the WIFITE secret is valid, it will never be injected into a PR coming from a fork und...

This pull request was created from Copilot chat.

Copilot AI changed the title [WIP] Fix Sourcery action for forked pull requests Skip Sourcery review job for fork-originated pull requests May 21, 2026
Copilot AI requested a review from kimocoder May 21, 2026 15:41
@kimocoder kimocoder marked this pull request as ready for review May 21, 2026 15:42
Copilot AI review requested due to automatic review settings May 21, 2026 15:43
@kimocoder kimocoder merged commit 4da34e1 into master May 21, 2026
16 checks passed
@kimocoder kimocoder deleted the copilot/fix-sourcery-workflow-fork-issue branch May 21, 2026 15:43
Copilot AI reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the Sourcery PR-check workflow to avoid running on fork-originated pull requests, where repository secrets are not available and the Sourcery action fails due to a missing token.

Changes:

  • Added a job-level if: condition to run review-with-sourcery only when the PR head repository matches the base repository.
  • Documented the reason for the condition with an inline comment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kimocoder kimocoder Awaiting requested review from kimocoder

Assignees

@kimocoder kimocoder

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kimocoder