Document fork PR uploads via public repo identifier#596
Document fork PR uploads via public repo identifier#596
Conversation
Adds a Flaky Tests page explaining how to upload test results and fetch the quarantine list from pull requests opened from forks, where GitHub does not expose repository secrets to workflow runs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Merging to
After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here |
|
Claude finished @mmatheson's task in 2m 21s —— View job Review complete
SummaryThe new Three non-blocking suggestions posted as inline comments:
No blocking issues. The page is ready to merge once the test plan items are verified (especially confirming |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
|
|
||
| Repositories that accept pull requests from forks — most commonly open-source projects on GitHub — face a CI limitation: **workflow runs triggered from a fork do not have access to the upstream repository's secrets.** In those runs, `secrets.TRUNK_API_TOKEN` is empty, the [Trunk Analytics CLI](uploader.md) cannot authenticate, and the upload fails. | ||
|
|
||
| To support these workflows, Trunk provides a **public repo identifier** that you embed directly in your workflow YAML. The Trunk backend uses it to route requests to your repository without an API token. This lets fork PRs upload test results and check the quarantine list, the same as PRs opened from a branch on the upstream repo. |
There was a problem hiding this comment.
Minor phrasing nit: "the same as PRs opened from a branch on the upstream repo" is slightly awkward as a trailing clause.
| To support these workflows, Trunk provides a **public repo identifier** that you embed directly in your workflow YAML. The Trunk backend uses it to route requests to your repository without an API token. This lets fork PRs upload test results and check the quarantine list, the same as PRs opened from a branch on the upstream repo. | |
| To support these workflows, Trunk provides a **public repo identifier** that you embed directly in your workflow YAML. The Trunk backend uses it to route requests to your repository without an API token. This lets fork PRs upload test results and check the quarantine list, just like PRs opened from a branch on the upstream repo. |
|
|
||
| ### Enable the identifier | ||
|
|
||
| 1. In the Trunk app, go to **Settings → Repositories →** _**your repo**_ **→ Flaky Tests**. |
There was a problem hiding this comment.
The navigation path formatting is inconsistent with the rest of the docs. For example, quarantining.md uses > as the separator and plain text for placeholder values:
**Settings** > **Repositories** > repository > **Flaky Tests**
This page uses → arrows and _**your repo**_ (italic + bold). Consider aligning with the existing convention:
| 1. In the Trunk app, go to **Settings → Repositories →** _**your repo**_ **→ Flaky Tests**. | |
| 1. In the Trunk app, go to **Settings** > **Repositories** > your repo > **Flaky Tests**. |
|
|
||
| To verify the fallback is working, open a pull request from a fork. The upload step should complete successfully, and the run should appear on the **Flaky Tests** dashboard for the upstream repository within a few minutes. | ||
|
|
||
| If you call the [Trunk Analytics CLI](uploader.md) directly instead of through the action, pass `--public-repo-id` alongside `--token`. The CLI applies the same fallback rule. |
There was a problem hiding this comment.
This mentions the CLI flag but doesn't show a concrete example, whereas the action usage above has a full YAML snippet. Adding an example would make this section more useful:
| If you call the [Trunk Analytics CLI](uploader.md) directly instead of through the action, pass `--public-repo-id` alongside `--token`. The CLI applies the same fallback rule. | |
| If you call the [Trunk Analytics CLI](uploader.md) directly instead of through the action, pass `--public-repo-id` alongside `--token`. The CLI applies the same fallback rule. | |
| ```bash | |
| trunk-analytics-cli upload \ | |
| --junit-paths "./target/junit-*.xml" \ | |
| --org-url-slug <TRUNK_ORG_SLUG> \ | |
| --token "$TRUNK_API_TOKEN" \ | |
| --public-repo-id abcd1234 |
|
|
||
| Repositories that accept pull requests from forks — most commonly open-source projects on GitHub — face a CI limitation: **workflow runs triggered from a fork do not have access to the upstream repository's secrets.** In those runs, `secrets.TRUNK_API_TOKEN` is empty, the [Trunk Analytics CLI](uploader.md) cannot authenticate, and the upload fails. | ||
|
|
||
| To support these workflows, Trunk provides a **public repo identifier** that you embed directly in your workflow YAML. The Trunk backend uses it to route requests to your repository without an API token. This lets fork PRs upload test results and check the quarantine list, the same as PRs opened from a branch on the upstream repo. |
There was a problem hiding this comment.
Minor phrasing nit: "the same as PRs opened from a branch on the upstream repo" is slightly awkward as a trailing clause.
| To support these workflows, Trunk provides a **public repo identifier** that you embed directly in your workflow YAML. The Trunk backend uses it to route requests to your repository without an API token. This lets fork PRs upload test results and check the quarantine list, the same as PRs opened from a branch on the upstream repo. | |
| To support these workflows, Trunk provides a **public repo identifier** that you embed directly in your workflow YAML. The Trunk backend uses it to route requests to your repository without an API token. This lets fork PRs upload test results and check the quarantine list, just like PRs opened from a branch on the upstream repo. |
|
|
||
| ### Enable the identifier | ||
|
|
||
| 1. In the Trunk app, go to **Settings → Repositories →** _**your repo**_ **→ Flaky Tests**. |
There was a problem hiding this comment.
The navigation path formatting is inconsistent with the rest of the docs. For example, quarantining.md uses > as the separator and plain text for placeholder values:
**Settings** > **Repositories** > repository > **Flaky Tests**
This page uses → arrows and _**your repo**_ (italic + bold). Consider aligning with the existing convention:
| 1. In the Trunk app, go to **Settings → Repositories →** _**your repo**_ **→ Flaky Tests**. | |
| 1. In the Trunk app, go to **Settings** > **Repositories** > your repo > **Flaky Tests**. |
|
|
||
| To verify the fallback is working, open a pull request from a fork. The upload step should complete successfully, and the run should appear on the **Flaky Tests** dashboard for the upstream repository within a few minutes. | ||
|
|
||
| If you call the [Trunk Analytics CLI](uploader.md) directly instead of through the action, pass `--public-repo-id` alongside `--token`. The CLI applies the same fallback rule. |
There was a problem hiding this comment.
This mentions the CLI flag but doesn't show a concrete example, whereas the action usage above has a full YAML snippet. Adding an example would make this section more useful:
| If you call the [Trunk Analytics CLI](uploader.md) directly instead of through the action, pass `--public-repo-id` alongside `--token`. The CLI applies the same fallback rule. | |
| If you call the [Trunk Analytics CLI](uploader.md) directly instead of through the action, pass `--public-repo-id` alongside `--token`. The CLI applies the same fallback rule. | |
| ```bash | |
| trunk-analytics-cli upload \ | |
| --junit-paths "./target/junit-*.xml" \ | |
| --org-url-slug <TRUNK_ORG_SLUG> \ | |
| --token "$TRUNK_API_TOKEN" \ | |
| --public-repo-id abcd1234 |
The CLI fetches the quarantine list via /v1/metrics/getQuarantineConfig on fork-PR runs, not /v1/flaky-tests/list-quarantined-tests. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
|
Claude finished @mmatheson's task in 1m 11s —— View job Review complete
SummaryThis re-review was triggered by the follow-up commit ( The Three previously-noted non-blocking suggestions remain open:
No blocking issues. The page is ready to merge once the test plan items are verified (especially confirming |
|
Claude finished @samgutentag's task in 1m 37s —— View job Review complete
SummaryThis synchronize event was triggered by the merge of No new issues were introduced. The three previously-noted non-blocking suggestions remain open:
No blocking issues. The page is ready to merge once the test plan items are verified — particularly that the action input ( |
|
Verification status (2026-05-06): Eng PR not merged. Hold.
Branch state: up to date with main. Suggested next action: hold until trunk2#3908 (and related analytics-cli/monolith work) merges. Re-run after merge. |
2 participants
Summary
flaky-tests/forked-pull-requests.mdcovering how to upload test results and check the quarantine list from PRs opened from forked repos, where GitHub workflow runs cannot read repository secrets.public-repo-idto thetrunk-io/analytics-uploaderstep alongside the existing token.401), the limited scope (uploads + quarantine list only — Merge Queue still requires a token), and a short troubleshooting table.summary.mdbetween Quarantine Service Availability and Pull request comments.Test plan
uploader.mdandquarantining.mdresolve.public-repo-id) and CLI flag (--public-repo-id) match the shipped names intrunk-io/analytics-uploaderandtrunk-analytics-cli.🤖 Generated with Claude Code