Possibility to run safe-settings as GitHub Action?

[martinm82]

Prerequisites:

• Is the functionality available in the GitHub UI? If so, please provide a link to information about the feature.

• Is the functionality available through the GitHub API? If the functionality is available, please provide links to the
  API documentation (https://developer.github.com/v3/) as well as the Octokit documentation (https://octokit.github.io/).

• If the functionality is not yet available in the API, it would be helpful if you
  contacted support (https://support.github.com/) or posted in the Community Forum (https://github.community/). Please
  include a link to the forum post if you create one or a copy of the response from support.

New Feature

Based on the Probot docs there is an GitHub Action adapter which should allow running Probot apps as Actions. Would this be possible as well with safe-settings?

https://probot.github.io/docs/deployment/#github-actions

[niraj8]

There are 2 ways I think we could run this in Github Actions

• On a schedule that does a full reconciliation , i.e. check that all settings across all repositories in the org match the desired settings from the admin repo, similar to [Question] Safe-settings cron with lambda via serverless #313
• Trigger a GH workflow that runs safe-settings app with the webhook payload event to a Github workflow with inputs in workflow_dispatch [example]

[pydolan]

I have a prototype of this on my repo fork, which adds a new script for calling syncInstallation (if people like this approach, I can open a PR, but I'll have to separate it from my changes on #588 update: PR opened in #604):

diff --git a/full-sync.js b/full-sync.js
new file mode 100644
index 0000000..7881056
--- /dev/null
+++ b/full-sync.js
@@ -0,0 +1,6 @@
+const { createProbot } = require('probot')
+const appFn = require('./')
+
+const probot = createProbot()
+const app = appFn(probot, {})
+app.syncInstallation()
diff --git a/package.json b/package.json
index 6bfb4ce..624f429 100644
--- a/package.json
+++ b/package.json
@@ -7,6 +7,7 @@
   "scripts": {
     "dev": "nodemon --inspect",
     "start": "probot run ./index.js",
+    "full-sync": "node ./full-sync.js",
     "test": "npm-run-all --print-label --parallel lint:* --parallel test:*",
     "lint:es": "eslint .",
     "lint:js": "standard",

To use this as an action, I pull the safe-settings code, pass along the env secrets via GitHub secrets, and run in as the action:

name: Safe Settings Sync
on:
  schedule:
    # daily run:
    - cron:  '0 0 * * *'
  workflow_dispatch: {}

jobs:
  safeSettingsSync:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          repository: pydolan/safe-settings
          ref: gha-runner
      - uses: actions/setup-node@v4
      - run: npm install
      - run: npm run full-sync
        env:
          GH_ORG: my-org
          APP_ID: my-app-id
          PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}
          GITHUB_CLIENT_ID: ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_ID }}
          GITHUB_CLIENT_SECRET: ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }}

Regarding Probot's GHA Adapter -- I initially used this in my separate script (similar to what handler.js does with the Serverless adapter), but this adapter uses the Action's GITHUB_TOKEN, which is limited to the current repo, so it offers no benefit that I can see.

Regarding my use of actions/checkout -- I would prefer to run safe-settings as an action using the Dockerfile, but GHA targets a different WORKDIR when doing so. There's an open issue about allowing workdir overrides with GHA.