CI: split formal and build to fix posting comments #28011
Conversation
| steps: | ||
| - name: Add 'not following guidelines' label | ||
| if: needs.formalities.result == 'failure' | ||
| uses: buildsville/[email protected] |
There was a problem hiding this comment.
Is there no github internal labeller? https://github.com/actions/labeler
See also https://github.com/actions/labeler?tab=readme-ov-file#recommended-permissions
There was a problem hiding this comment.
That one is already used in labeler.yml and it's based on file paths.
|
Urgh. Maybe github themselves need to fix something with permissions. I agree that it can be tough to find what you want in the documentation. The formalities can exist in its own yaml, so that prevents unnecessary privileges. Maybe we can run the labeller under a separate token. @ynezz ? |
formal and build were merged this year, so one can depend on the other. That's the main challenge right now. |
GeorgeSapkin
force-pushed
the
ci-fix-posting-comments
branch
from
19f3d04 to
79adb6f
Compare
Yeah, that was because of openwrt/actions-shared-workflows#55 😿 |
GeorgeSapkin
force-pushed
the
ci-fix-posting-comments
branch
from
79adb6f to
ebdf781
Compare
|
I went with separating formal from build completely for now. As every other options that doesn't compromise security requires having a custom token. I think we should have them separate for now to test the current formal setup, iron out the kinks, and figure out the PAT thing in the meanwhile. This is somewhat disappointing, but again GH Actions are quite a PITA to use in the end. Edit: this PR doesn't have a formal check, since new workflows (separate formal in this case) can't run from forks. |
GeorgeSapkin
force-pushed
the
ci-fix-posting-comments
branch
from
ebdf781 to
8aa4036
Compare
GeorgeSapkin
changed the title
|
I got a prototype working using
The end result looks mostly the same, but now with the added bonus of some more statuses being visible in the PR like both build and test. 
The downsides:
|
|
This starts to sound pretty complicated. I wonder about the maintainability in future... |
It's true it's more complicated than chaining two reusable workflows in the same file. It is not much more complicated though, as it's two separate workflows with one dispatching another. The not-so-transparent part is the token which is not immediately obvious. And it is infinitely less complicated than the multi-stage workflows triggered by comments in base repo. |
GeorgeSapkin
force-pushed
the
ci-fix-posting-comments
branch
from
8aa4036 to
f54f80d
Compare
|
I've added the current solution using |
Separate formal from build so the event trigger can be set to pull_request_target and fix posting comments. This event allows workflow to do things like label or comment on pull requests from forks, but it's not recommended for build jobs due to security implications. Switch build to workflow_dispatch and trigger it from formal when it succeeds. Dispatching a workflow requires a fine-grained token, exposed through FORMAL_TOKEN secret. Since the workflow is no longer running in a PR context, it needs the PR info passed to it to manually make the appearance of being tied to said PR by setting run-name, and passing back individual matrix step statuses manually to the PR with all the correct info. To that end re-introduce the full build workflow that was moved to actions for easier testing with the expectation of moving it back to actions once it's fully tested. FORMAL_TOKEN requires actions: write permission. Build workflow can now be triggered from the UI, but it's limited to repo members. Fixes: 7658669 ("multi-arch-test-build: post formal summaries to PR") Link: https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target Link: https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflow_dispatch Link: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/ Link: https://securitylab.github.com/resources/github-actions-new-patterns-and-mitigations/ Signed-off-by: George Sapkin <[email protected]>
GeorgeSapkin
force-pushed
the
ci-fix-posting-comments
branch
from
f54f80d to
569b5a4
Compare
|
If there are no objections, I think we should ping somebody with access to the @openwrt-bot to create the necessary token. |
4 participants
Separate formal from build so the event trigger can be set to pull_request_target and fix posting comments. This event allows workflow to do things like label or comment on pull requests from forks, but it's not recommended for build jobs due to security implications.
Switch build to workflow_dispatch and trigger it from formal when it succeeds. Dispatching a workflow requires a fine-grained token, exposed through FORMAL_TOKEN secret. Since the workflow is no longer running in a PR context, it needs the PR info passed to it to manually make the appearance of being tied to said PR by setting run-name, and passing back individual matrix step statuses manually to the PR with all the correct info. To that end re-introduce the full build workflow that was moved to actions for easier testing with the expectation of moving it back to actions once it's fully tested.
Build workflow can now be triggered from the UI, but it's limited to repo members.
The end result looks mostly the same, but now with the added bonus of some more statuses being visible in the PR like both build and test.
The downsides:
Fixes: 7658669 ("multi-arch-test-build: post formal summaries to PR")
Link: https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#pull_request_target
Link: https://docs.github.com/en/actions/reference/workflows-and-actions/events-that-trigger-workflows#workflow_dispatch
Link: https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
Link: https://securitylab.github.com/resources/github-actions-new-patterns-and-mitigations/
Requires:
FORMAL_TOKENwithactions: writepermission defined in secrets.Related:
cc: @BKPepe, @hnyman, @systemcrash