-
Notifications
You must be signed in to change notification settings - Fork 276
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
github/workflows: introduce action to update version tag #845
base: main
Are you sure you want to change the base?
github/workflows: introduce action to update version tag #845
Conversation
/cc @jmhbnz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pulling this together @ivanvc - initial thoughts below:
54f454f
to
4c98426
Compare
Hold on from reviewing my PR. I pushed to the wrong branch and haven't confirmed if my changes work or not 😬 |
4c98426
to
7c1f764
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - Thanks for implementing this @ivanvc
2b8e732
to
b45dfe1
Compare
Gentle ping @spzala - Can you please be second pair of eyes on this before we merge? |
Would be great to test this now that |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ivanvc Please see an inline comment.
--- | ||
name: Reusable Template to Update Release | ||
|
||
on: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ivanvc @jmhbnz I am not an expert but wondering shouldn't we use workflow_dispatch:
here as well? With write
permission, we need to be careful as much as possible. I am sure you have thought about security but still wanted to double check. Thanks! cc @ahrtr @serathius @wenjiaswe
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree we should use contents: write
sparingly as there are security considerations.
We have workflow_dispatch
on the scheduled job that calls this one in order to support running a workflow on demand https://github.com/etcd-io/website/pull/845/files#diff-709e89ffb8e7b46a9736507dd8f21a544b583f4fbc0a1fb01c009f3b41c9178cR9.
@ivanvc if we are using this action to raise a pull request automatically for the version update can we get away with pull-requests: write
or do we absolutely need contents: write
as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I want to test this first and will get back to you with the answer. Either way, I'll narrow down the permissions. Good catch :).
As per workflow_dispatch:
, I'm fine removing it. It's just a convenience to run them on-demand, as @jmhbnz stated. Also, these triggers can only be done by people with write access to the repo (ref: GitHub docs).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Without the contents: write
permission, I get a 403 when pushing to the repository 🤕. Refer to this run without contents: write
: https://github.com/ivanvc/etcd-website/actions/runs/9310254830/job/25627319064.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried some other options without pushing to a branch. However, if I have the local commit, GitHub's CLI still asks to push it to a remote.
An alternative would be to keep this action running in a fork, and it opens a PR targeting this repository. That way, we won't need the action with contents: write
in this repository.
Please let me know what you think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks much @ivanvc !! If we have control on merging a PR, that would be great. Also, if I understood correctly, workflow_dispatch:
is a good security practice to manually approve the workflow. So, I didn't say to remove it but I was suggesting/checking that we should probably add it in update-release-version-template.yaml as well.
Add a nightly job that gets the latest released etcd version for supported branches (v3.4, v3.5) and create a commit and a pull request to keep it up to date. Signed-off-by: Ivan Valdes <ivan@vald.es>
b45dfe1
to
5d78a53
Compare
Add a nightly job that gets the latest released etcd version for supported branches (v3.4, v3.5) and create a commit and a pull request to keep it up to date.
An example of how this action works: ivanvc#2. Note that it is a fictional version I used to test (https://github.com/ivanvc/etcd/releases).
The caveat is that we must have enabled "Allow GitHub actions to create and approve pull requests". I'm not sure if that's enabled for the repository, as I don't have access to that. Refer to: https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests