push-to-fork won't push to sibling repos in the same network (original) (raw)

Subject of the issue

Consider a setup where a repo upstream/repo has a workflow w that creates PRs to upstream/repo, but w should run without write access to upstream/repo. To achieve this, there's an unprivileged bot account bot with a fork of upstream/repo (bot/repo) and upstream/repo has a Personal Access Token for bot in its secrets. w runs with no permissions (permissions: {contents: none}), uses the bot credential to check out upstream/repo, and uses push-to-fork to submit PRs from a bot/repo branch.

Now I'd like to modify w and test my changes. I think these are my options:

1. Fork upstream/repo to bgilbert/repo, set up my fork with a PAT for bot (or for a separate bot-staging account, to avoid testing with the prod account), and run the workflow. This fails with:

Error: Repository 'bot/repo' is not a fork of 'bgilbert/repo'. Unable to continue.  

1. When testing w, disable push-to-fork and set permissions: {contents: write, pull-requests: write}, so that PRs to bgilbert/repo are created from branches in bgilbert/repo. This is what I've been doing, but as a result I'm testing w with more permissions than it'll have in production. I've definitely pushed broken code to prod as a result of this.
2. Create my own bgilbert-bot account containing a fork of bgilbert/repo. This lets me test with an environment similar to prod, but requires me to have a second GitHub account for testing, and accounts are pretty heavyweight. If w has multiple developers, they each need their own bot account (or to share an account but constantly delete and recreate its fork), since an account can't have multiple forks of forks of upstream/repo.

Could the "is not a fork of" test be removed? GitHub doesn't require it; any repo in the network of upstream/repo can send PRs to any other repo in the network.

Steps to reproduce

I don't have a minimized reproducer handy, but could create one if needed.