in PR checks Error: Failed to get ID token: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable

[lectrical]

I was looking to add attestations to jqlang/jq#3220 and it fails in the PR checks but works in the downstream repo.

The error seems to be the same as seen when not providing correct permissions, though they are present.

permissions:
  id-token: write
  contents: read
  attestations: write

https://github.com/jqlang/jq/actions/runs/12267835999/job/34228631988?pr=3220

The changes

https://github.com/jqlang/jq/pull/3220/files

Am i overlooking something here? As in this in an intended or unintended outcome.

I did not see anything gin the readme to suggest a solution

https://github.com/actions/attest?tab=readme-ov-file#actionsattest

What is the correct way forward to allow attestations in a pr action check or should this be avoided?

Thanks in advance.

[bdehamer]

I think this is a limitation of the id-token: write permission when operating in a forked repo. There is some more information here which may be useful.

[lectrical]

So it's probably best to have some conditions to skip running on a pr and move on?

I think there is some sense to have pr artifacts attested but probably not as important as release assets.

[jsoref]

If you really need to do things, you can, but, it's dangerous. I left an outline in:

• Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable when PR from a fork to upstream attest-build-provenance#99 (comment)

Personally, I wouldn't do this. I'd instead have another fork (possibly in a different organization) and have that one be responsible for building and attesting things from untrustworthy sources -- probably by adding an if to the very-dangerous job that skips my owner repository: if: github.repository_owner != 'my-source', and then when I get a PR to my-source/repo, I can make an equivalent PR to my-untrusted-source/repo and let people get artifacts from there.