Possibility to run safe-settings as GitHub Action?

[martinm82]

Prerequisites:

• Is the functionality available in the GitHub UI? If so, please provide a link to information about the feature.

• Is the functionality available through the GitHub API? If the functionality is available, please provide links to the
  API documentation (https://developer.github.com/v3/) as well as the Octokit documentation (https://octokit.github.io/).

• If the functionality is not yet available in the API, it would be helpful if you
  contacted support (https://support.github.com/) or posted in the Community Forum (https://github.community/). Please
  include a link to the forum post if you create one or a copy of the response from support.

New Feature

Based on the Probot docs there is an GitHub Action adapter which should allow running Probot apps as Actions. Would this be possible as well with safe-settings?

https://probot.github.io/docs/deployment/#github-actions

[niraj8]

There are 2 ways I think we could run this in Github Actions

• On a schedule that does a full reconciliation , i.e. check that all settings across all repositories in the org match the desired settings from the admin repo, similar to [Question] Safe-settings cron with lambda via serverless #313
• Trigger a GH workflow that runs safe-settings app with the webhook payload event to a Github workflow with inputs in workflow_dispatch [example]

[dolan-a]

I have a prototype of this on my repo fork, which adds a new script for calling syncInstallation (if people like this approach, I can open a PR, but I'll have to separate it from my changes on #588 update: PR opened in #604):

diff --git a/full-sync.js b/full-sync.js
new file mode 100644
index 0000000..7881056
--- /dev/null
+++ b/full-sync.js
@@ -0,0 +1,6 @@
+const { createProbot } = require('probot')
+const appFn = require('./')
+
+const probot = createProbot()
+const app = appFn(probot, {})
+app.syncInstallation()
diff --git a/package.json b/package.json
index 6bfb4ce..624f429 100644
--- a/package.json
+++ b/package.json
@@ -7,6 +7,7 @@
   "scripts": {
     "dev": "nodemon --inspect",
     "start": "probot run ./index.js",
+    "full-sync": "node ./full-sync.js",
     "test": "npm-run-all --print-label --parallel lint:* --parallel test:*",
     "lint:es": "eslint .",
     "lint:js": "standard",

To use this as an action, I pull the safe-settings code, pass along the env secrets via GitHub secrets, and run in as the action:

name: Safe Settings Sync
on:
  schedule:
    # daily run:
    - cron:  '0 0 * * *'
  workflow_dispatch: {}

jobs:
  safeSettingsSync:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          repository: pydolan/safe-settings
          ref: gha-runner
      - uses: actions/setup-node@v4
      - run: npm install
      - run: npm run full-sync
        env:
          GH_ORG: my-org
          APP_ID: my-app-id
          PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}
          GITHUB_CLIENT_ID: ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_ID }}
          GITHUB_CLIENT_SECRET: ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }}

Regarding Probot's GHA Adapter -- I initially used this in my separate script (similar to what handler.js does with the Serverless adapter), but this adapter uses the Action's GITHUB_TOKEN, which is limited to the current repo, so it offers no benefit that I can see.

Regarding my use of actions/checkout -- I would prefer to run safe-settings as an action using the Dockerfile, but GHA targets a different WORKDIR when doing so. There's an open issue about allowing workdir overrides with GHA.

[beatngu13]

There's now documentation on how to run GitHub Safe-Settings via GitHub Actions, at least for a full-sync:

https://github.com/github/safe-settings/blob/main-enterprise/docs/github-action.md

[paddyroddy]

If still unclear, I've got it working in practice https://github.com/UCL-MIRSG/.github/blob/main/.github/workflows/safe-settings.yaml.

[beatngu13]

@paddyroddy even with Renovate Custom Manager – thank you! 🙏

[paddyroddy]

@paddyroddy even with Renovate Custom Manager – thank you! 🙏

No problem, I will add docs to the README here soon 😅 spent a fair bit of time debugging beforehand

[riprasad]

@paddyroddy Thank you for sharing a working example — it was very helpful!

Couple of Questions:

• What's the purpose of using renovate in conjunction with safe-settings?
• Do you know if we can run the GHA workflow in NOP mode?

[beatngu13]

What's the purpose of using renovate in conjunction with safe-settings?

In our case, Renovate makes sure that the GHA workflow gets updated when a new GH Safe-Settings version is available.

[paddyroddy]

• What's the purpose of using renovate in conjunction with safe-settings?

As @beatngu13 said, I want the SAFE_SETTINGS_VERSION: 2.1.14 version to keep up-to-date. If it was a traditional GHA then @renovatebot supports it natively with the @vx bit. I've set up a regex to maintain this environment variable.

• Do you know if we can run the GHA workflow in NOP mode?

Sorry, I'm not sure what you mean by NOP here.

[riprasad]

@paddyroddy Thanks for explaining the use of renovate!

Sorry, I'm not sure what you mean by NOP here.

It's kind of a dry run which also produces a report. See here

In that set up, when changes happen to the settings files and there is a PR for merging the changes back to the default branch in the admin repo, safe-settings will run checks – which will run in nop mode and produce a report of the changes that would happen, including the API calls and the payload.

I saw that you’ve set your safe-settings workflow to trigger on the pull request event. I tried the same, assuming the workflow would be a dry run when triggered by a pull request. However, it turns out the changes are applied directly instead of just being a dry run.

[paddyroddy]

I saw that you’ve set your safe-settings workflow to trigger on the pull request event. I tried the same, assuming the workflow would be a dry run when triggered by a pull request. However, it turns out the changes are applied directly instead of just being a dry run.

I have found this too. I assume it might be a bug? In theory, I have them turned on https://github.com/UCL-MIRSG/.github/blob/4695e545829b91dcddc6e36358454bc4a879f751/.github/workflows/safe-settings.yaml#L59C11-L59C34