Use Github gating (approve button) for webui-trigger workflow #6028
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
infrastructure
jkonecny12
force-pushed
the
master-tweak-webui-trigger
branch
from
6e65348 to
4ddee61
Compare
|
/kickstart-test --waive infra only |
KKoukiou
reviewed
Nov 28, 2024
jkonecny12
temporarily deployed
to
gh-cockpituous
GitHub Actions
Inactive
jkonecny12
had a problem deploying
to
gh-cockpituous
GitHub Actions
Failure
|
@jkonecny12 we need to ensure that: INSTALLER_TOKEN has write permissions for statuses (repo:status scope). |
|
@jkonecny12 since you have access to the INSTALLKER token, try running the following locally; if the token a valid it will return some json, if not it will fail with bad credentials. (Replace INSTALKER_TOKEN) curl -X POST \
-H "Authorization: token <INSTALLER_TOKEN>" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/rhinstaller/anaconda/statuses/0bb1c33b17ecd074963821c350d2411e608ce368 \
-d '{"state": "success", "description": "Test Status", "context": "CI/Test"}' |
This is just a good practice everywhere.
Currently, the webui trigger is gated for external contributors by failing the trigger workflow which demands developer to run a command on their machine to start tests on Anaconda PR. This PR change allows external contributors execution all the time. Which raises an additional issue. Anaconda project have workflows configured that they are required to be enabled each time manually by pressing button on the PR page. This works fine but only for `pull_request` trigger and webui-trigger workflow is using `pull_request_target` which is not covered by this gating. The `pull_request_target` trigger is used because we need a Github token of the workflow from the target repository so that webui tests are able to set the status on PR. To resolve the issue above, let's use our own token instead of the workflow generated one and switch the trigger to `pull_request` which as side effect will also make the whole workflow more secure.
jkonecny12
force-pushed
the
master-tweak-webui-trigger
branch
from
0bb1c33 to
3c4f67e
Compare
jkonecny12
had a problem deploying
to
gh-cockpituous
GitHub Actions
Failure
jkonecny12
had a problem deploying
to
gh-cockpituous
GitHub Actions
Failure
|
/packit build |
jkonecny12
had a problem deploying
to
gh-cockpituous
GitHub Actions
Failure
|
After looking on the documentation, I found that this will not work. The issue is that However, I'm thinking about hooking this workflow to another on the background. Maybe workflow run hooked on our unit tests would be a nice solution? |
|
We need a different approach. Closing for now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, the webui trigger is gated for external contributors by failing the trigger workflow which demands developer to run a command on their machine to start tests on Anaconda PR.
This PR change allows external contributors execution all the time. Which raises an additional issue.
Anaconda project have workflows configured that they are required to be enabled each time manually by pressing button on the PR page. This works fine but only for
pull_requesttrigger and webui-trigger workflow is usingpull_request_targetwhich is not covered by this gating. Thepull_request_targettrigger is used because we need a Github token of the workflow from the target repository so that webui tests are able to set the status on PR.To resolve the issue above, let's use our own token instead of the workflow generated one and switch the trigger to
pull_requestwhich as side effect will also make the whole workflow more secure.