<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:27:01 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3290] PRs from forks cannot be merged due to missing SONAR_TOKEN value</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3290</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;&lt;b&gt;Overview:&lt;/b&gt; PRs from forks of repos built with GitHub Actions cannot be merged due to missing &lt;tt&gt;SONAR_TOKEN&lt;/tt&gt; value. PRs from branches directly on the origin repository are not affected.&lt;br/&gt;
&lt;b&gt;Steps to Reproduce:&lt;/b&gt;&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;Visit &lt;a href=&quot;https://github.com/folio-org/ui-users/pull/1849/checks&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/ui-users/pull/1849/checks&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;Click &quot;Re-run jobs &amp;gt; Re-run all jobs&quot;&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;&lt;b&gt;Expected Results:&lt;/b&gt; Job runs successfully&lt;br/&gt;
&lt;b&gt;Actual Results:&lt;/b&gt; &quot;Run SonarCloud scan&quot; step fails with this output: &lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
Set the SONAR_TOKEN env variable.
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt; 
&lt;p&gt;despite the &lt;a href=&quot;https://github.com/folio-org/ui-users/blob/6946be0bc32c8c188d66368257314d09743014e6/.github/workflows/buildnpm.yml#L148-L150&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;&lt;tt&gt;.github/workflows/buildnpm.yml&lt;/tt&gt;&lt;/a&gt; file containing a setting for this value. &lt;/p&gt;

&lt;p&gt;&lt;b&gt;Interested parties:&lt;/b&gt; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=60c63c6d94692800703e1bb7&quot; class=&quot;user-hover&quot; rel=&quot;60c63c6d94692800703e1bb7&quot; data-account-id=&quot;60c63c6d94692800703e1bb7&quot; accountid=&quot;60c63c6d94692800703e1bb7&quot; rel=&quot;noreferrer&quot;&gt;Christian Cruz&lt;/a&gt;, &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=70121%3A86056e95-01fe-4975-9abf-c91d6d347b08&quot; class=&quot;user-hover&quot; rel=&quot;70121:86056e95-01fe-4975-9abf-c91d6d347b08&quot; data-account-id=&quot;70121:86056e95-01fe-4975-9abf-c91d6d347b08&quot; accountid=&quot;70121:86056e95-01fe-4975-9abf-c91d6d347b08&quot; rel=&quot;noreferrer&quot;&gt;Yasmine Macedo R&lt;/a&gt;, &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=70121%3A5af8933f-d11f-40a7-939b-dcbb547e6dcc&quot; class=&quot;user-hover&quot; rel=&quot;70121:5af8933f-d11f-40a7-939b-dcbb547e6dcc&quot; data-account-id=&quot;70121:5af8933f-d11f-40a7-939b-dcbb547e6dcc&quot; accountid=&quot;70121:5af8933f-d11f-40a7-939b-dcbb547e6dcc&quot; rel=&quot;noreferrer&quot;&gt;Isela Garc&#237;a Bravo&lt;/a&gt;&lt;/p&gt;</description>
                <environment></environment>
        <key id="82166">FOLIO-3290</key>
            <summary>PRs from forks cannot be merged due to missing SONAR_TOKEN value</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10005" iconUrl="https://dev.folio.org/assets/jira-priority/tbd.svg">TBD</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30">Ankita Sen</assignee>
                                                                <reporter accountid="615afd1cd9820f0070a09ef0">Zak Burke</reporter>
                                    <labels>
                    </labels>
                <created>Thu, 16 Sep 2021 12:16:05 +0000</created>
                <updated>Tue, 26 Oct 2021 08:57:24 +0000</updated>
                            <resolved>Tue, 26 Oct 2021 08:57:24 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>4</watches>
                                                                <comments>
                                                            <comment id="196637" author="712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30" created="Thu, 16 Sep 2021 12:30:35 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=615afd1cd9820f0070a09ef0&quot; class=&quot;user-hover&quot; rel=&quot;615afd1cd9820f0070a09ef0&quot; data-account-id=&quot;615afd1cd9820f0070a09ef0&quot; accountid=&quot;615afd1cd9820f0070a09ef0&quot; rel=&quot;noreferrer&quot;&gt;Zak Burke&lt;/a&gt;&#160;- Is the problem happening only when the repository is forked? The SONAR_TOKEN variable is set as a Oragnisation level secret so that there is no need to add this to all individual repositories. That might be causing this bug. This needs to set, I think along with all other organisational secrets when the repository is forked, by the organisation who is forking the repository.&lt;/p&gt;

&lt;p&gt;There might be a better way to do this as well. I can have a look into it.&lt;/p&gt;</comment>
                                                            <comment id="196640" author="557058:a957226f-df85-4fc8-97f4-8b27a26029ed" created="Thu, 16 Sep 2021 15:32:27 +0000"  >&lt;p&gt;This needs to be fixed ASAP as our code freeze is tomorrow...thanks...&lt;/p&gt;</comment>
                                                            <comment id="196642" author="615afd1cd9820f0070a09ef0" created="Thu, 16 Sep 2021 16:10:45 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3A66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; class=&quot;user-hover&quot; rel=&quot;712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; data-account-id=&quot;712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; accountid=&quot;712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; rel=&quot;noreferrer&quot;&gt;Ankita Sen&lt;/a&gt;, &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Aa957226f-df85-4fc8-97f4-8b27a26029ed&quot; class=&quot;user-hover&quot; rel=&quot;557058:a957226f-df85-4fc8-97f4-8b27a26029ed&quot; data-account-id=&quot;557058:a957226f-df85-4fc8-97f4-8b27a26029ed&quot; accountid=&quot;557058:a957226f-df85-4fc8-97f4-8b27a26029ed&quot; rel=&quot;noreferrer&quot;&gt;Holly Mistlebauer&lt;/a&gt;: the easy workaround is for me to just pull down their forked branches and push &apos;em back to origin to create a replacement PR from a branch within &lt;tt&gt;folio-org&lt;/tt&gt;. This works like a charm (git history is correctly preserved) and is not onerous. &lt;/p&gt;

&lt;p&gt;Long term, it&apos;s worth investigating solutions that would allow folks on forks to run their PRs through the whole CI process so they don&apos;t have to rely on somebody within folio-org to test their work. &lt;/p&gt;</comment>
                                                            <comment id="196645" author="712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30" created="Tue, 21 Sep 2021 11:07:30 +0000"  >&lt;p&gt;Update : Following the implementation given in&#160;&lt;a href=&quot;https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This was the best fitting solution I could get and coming from GitHub docs, seems like most viable.&#160;&lt;/p&gt;</comment>
                                                            <comment id="196646" author="712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30" created="Thu, 23 Sep 2021 13:14:39 +0000"  >&lt;p&gt;Update: The&#160;&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;pull_request_trigger&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt; has some security issues about exposing Secrets and providing read/write of the repository access to the PR author mentioned here &lt;a href=&quot;https://securitylab.github.com/research/github-actions-preventing-pwn-requests/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://securitylab.github.com/research/github-actions-preventing-pwn-requests/&lt;/a&gt;&lt;br/&gt;
Implementing that simply will result in a compromised workflow. Need to still find a way to safely implement the same.&lt;/p&gt;</comment>
                                                            <comment id="196648" author="712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30" created="Mon, 4 Oct 2021 10:13:42 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=615afd1cd9820f0070a09ef0&quot; class=&quot;user-hover&quot; rel=&quot;615afd1cd9820f0070a09ef0&quot; data-account-id=&quot;615afd1cd9820f0070a09ef0&quot; accountid=&quot;615afd1cd9820f0070a09ef0&quot; rel=&quot;noreferrer&quot;&gt;Zak Burke&lt;/a&gt;&#160;: I have slightly changed the implementation. Now there is an identical workflow called&#160;&lt;em&gt;build-npm-fork&lt;/em&gt;&lt;em&gt;.yml&lt;/em&gt; which will run every time a forked repository creates a pull_request but only after the label &apos;&lt;em&gt;safe fork&apos;&lt;/em&gt;&#160;has been added to it as discussed before. This makes sure that our workflows are not compromised from a security pov. I have added the label&#160;&apos;&lt;em&gt;safe fork&apos;&lt;/em&gt;&#160;in the ui-users repository. Now if one of you could test it, then this is done.&lt;/p&gt;</comment>
                                                            <comment id="196650" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Mon, 4 Oct 2021 14:13:03 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3A66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; class=&quot;user-hover&quot; rel=&quot;712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; data-account-id=&quot;712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; accountid=&quot;712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; rel=&quot;noreferrer&quot;&gt;Ankita Sen&lt;/a&gt; we discussed documenting the above on the FOLIO dev website.&lt;/p&gt;</comment>
                                                            <comment id="196652" author="615afd1cd9820f0070a09ef0" created="Tue, 5 Oct 2021 12:02:21 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3A66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; class=&quot;user-hover&quot; rel=&quot;712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; data-account-id=&quot;712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; accountid=&quot;712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; rel=&quot;noreferrer&quot;&gt;Ankita Sen&lt;/a&gt;, I did not see the &lt;tt&gt;safe fork&lt;/tt&gt; label in &lt;tt&gt;ui-users&lt;/tt&gt; so I created it, &lt;a href=&quot;https://github.com/folio-org/ui-users/pull/1894&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;opened a PR from a fork&lt;/a&gt;, and added that label. &lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/folio-org/ui-users/pull/1894/checks?check_run_id=3802486679&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;SonarCloud still failed&lt;/a&gt;. I see &lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
...
    DEFAULT_BRANCH: master
    GITHUB_TOKEN: ***
    SONAR_TOKEN: 
...
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;which makes it look like &lt;tt&gt;SONAR_TOKEN&lt;/tt&gt; is still not being populated correctly. &lt;/p&gt;</comment>
                                                            <comment id="196654" author="712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30" created="Tue, 5 Oct 2021 12:42:24 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=615afd1cd9820f0070a09ef0&quot; class=&quot;user-hover&quot; rel=&quot;615afd1cd9820f0070a09ef0&quot; data-account-id=&quot;615afd1cd9820f0070a09ef0&quot; accountid=&quot;615afd1cd9820f0070a09ef0&quot; rel=&quot;noreferrer&quot;&gt;Zak Burke&lt;/a&gt;&#160;- The updated workflow is missing in the forked repo because I didn&apos;t merge it with master. Will do so now and hopefully doing so will give us proper results. Once I have merged with the fork workflow, could you update the forked repo and try again?&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</comment>
                                                            <comment id="196655" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Thu, 14 Oct 2021 13:39:42 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=712020%3A66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; class=&quot;user-hover&quot; rel=&quot;712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; data-account-id=&quot;712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; accountid=&quot;712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30&quot; rel=&quot;noreferrer&quot;&gt;Ankita Sen&lt;/a&gt; Just to confirm that we are going to abandon the approach with labels and simply document the limitations for PRs from forks.&lt;/p&gt;</comment>
                                                            <comment id="196659" author="712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30" created="Mon, 25 Oct 2021 11:45:53 +0000"  >&lt;p&gt;Have removed the *build-npm-fork.ym*l workflow and instead of a separate workflow, have added the workaround in the &lt;a href=&quot;https://dev.folio.org/guidelines/github-actions-frontend/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;documentation&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;I have added &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=61cd0ca0bce5e00069e98be7&quot; class=&quot;user-hover&quot; rel=&quot;61cd0ca0bce5e00069e98be7&quot; data-account-id=&quot;61cd0ca0bce5e00069e98be7&quot; accountid=&quot;61cd0ca0bce5e00069e98be7&quot; rel=&quot;noreferrer&quot;&gt;David Crossley&lt;/a&gt; as reviewer&#160;in &lt;a href=&quot;https://github.com/folio-org/folio-org.github.io/pull/886&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;this&lt;/a&gt;&#160;PR.&lt;/p&gt;</comment>
                                                            <comment id="196662" author="712020:66ff5e1e-556d-4407-89fd-6ed1fe9b6b30" created="Tue, 26 Oct 2021 08:57:24 +0000"  >&lt;p&gt;The limitations and the workaround to fix this problem has been added in to dev.folio.org &lt;a href=&quot;https://dev.folio.org/guidelines/github-actions-frontend/&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;documentation&lt;/a&gt; &lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                            <outwardlinks description="blocks">
                                        <issuelink>
            <issuekey id="82123">FOLIO-3272</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10155"><![CDATA[FOLIO DevOps]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i03ci7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="280">DevOps Sprint 123</customfieldvalue>
    <customfieldvalue id="281">DevOps Sprint 124</customfieldvalue>
    <customfieldvalue id="282">DevOps Sprint 125</customfieldvalue>
    <customfieldvalue id="283">DevOps Sprint 126</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 16 Sep 2021 12:30:35 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>