github/workflows: introduce action to update version tag #845
Conversation
|
/cc @jmhbnz |
ivanvc
force-pushed
the
add-github-action-to-keep-release-up-to-date
branch
2 times, most recently
from
54f454f
to
4c98426
Compare
|
Hold on from reviewing my PR. I pushed to the wrong branch and haven't confirmed if my changes work or not 😬 |
ivanvc
force-pushed
the
add-github-action-to-keep-release-up-to-date
branch
from
4c98426
to
7c1f764
Compare
ivanvc
force-pushed
the
add-github-action-to-keep-release-up-to-date
branch
from
2b8e732
to
b45dfe1
Compare
|
Gentle ping @spzala - Can you please be second pair of eyes on this before we merge? |
|
Would be great to test this now that |
| --- | ||
| name: Reusable Template to Update Release | ||
|
|
||
| on: |
There was a problem hiding this comment.
@ivanvc @jmhbnz I am not an expert but wondering shouldn't we use workflow_dispatch: here as well? With write permission, we need to be careful as much as possible. I am sure you have thought about security but still wanted to double check. Thanks! cc @ahrtr @serathius @wenjiaswe
There was a problem hiding this comment.
Agree we should use contents: write sparingly as there are security considerations.
We have workflow_dispatch on the scheduled job that calls this one in order to support running a workflow on demand https://github.com/etcd-io/website/pull/845/files#diff-709e89ffb8e7b46a9736507dd8f21a544b583f4fbc0a1fb01c009f3b41c9178cR9.
@ivanvc if we are using this action to raise a pull request automatically for the version update can we get away with pull-requests: write or do we absolutely need contents: write as well?
There was a problem hiding this comment.
I want to test this first and will get back to you with the answer. Either way, I'll narrow down the permissions. Good catch :).
As per workflow_dispatch:, I'm fine removing it. It's just a convenience to run them on-demand, as @jmhbnz stated. Also, these triggers can only be done by people with write access to the repo (ref: GitHub docs).
There was a problem hiding this comment.
Without the contents: write permission, I get a 403 when pushing to the repository 🤕. Refer to this run without contents: write: https://github.com/ivanvc/etcd-website/actions/runs/9310254830/job/25627319064.
There was a problem hiding this comment.
I tried some other options without pushing to a branch. However, if I have the local commit, GitHub's CLI still asks to push it to a remote.
An alternative would be to keep this action running in a fork, and it opens a PR targeting this repository. That way, we won't need the action with contents: write in this repository.
Please let me know what you think.
There was a problem hiding this comment.
Thanks much @ivanvc !! If we have control on merging a PR, that would be great. Also, if I understood correctly, workflow_dispatch: is a good security practice to manually approve the workflow. So, I didn't say to remove it but I was suggesting/checking that we should probably add it in update-release-version-template.yaml as well.
Add a nightly job that gets the latest released etcd version for supported branches (v3.4, v3.5) and create a commit and a pull request to keep it up to date. Signed-off-by: Ivan Valdes <ivan@vald.es>
ivanvc
force-pushed
the
add-github-action-to-keep-release-up-to-date
branch
from
b45dfe1
to
5d78a53
Compare
Add a nightly job that gets the latest released etcd version for supported branches (v3.4, v3.5) and create a commit and a pull request to keep it up to date.
An example of how this action works: ivanvc#2. Note that it is a fictional version I used to test (https://github.com/ivanvc/etcd/releases).
The caveat is that we must have enabled "Allow GitHub actions to create and approve pull requests". I'm not sure if that's enabled for the repository, as I don't have access to that. Refer to: https://docs.github.com/en/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#preventing-github-actions-from-creating-or-approving-pull-requests