I have a workflow, that does some modifications on the repository, and pushes it, expecting the push workflow to start. Now I know that the intended way in the documentation suggests me creating a PAT, but that seems like a hacky solution to me, since the whole build procedure is tied to my account being active and having necessary permissions.
It also expects my account to have push access to my main branches, which I don't want to have. I want to operate through PRs.
Do I have any other options? Do I need to create a my-github-bot account in my org and create a PAT for that? All these options seem too hacky compared to just having a switch to enable workflow triggering with the default ${{ secrets.GITHUB_TOKEN }}
The workflow that pushes can also use the workflow_dispatch trigger on the second workflow to start the other workflow. Either by doing a REST call or by including a call gh:
gh workflow run {{workflow.yaml}} --ref {{sha}} --repo {{owner/repo}}
Or use one of the available actions to invoke the workflow after your push step.
For example:
- name: Invoke workflow with inputs
uses: benc-uk/workflow-dispatch#v1
with:
workflow: Another Workflow
You can also use a GitHub app, there's a special action for that. You grant the app the permissions to invoke the workflow and then let the workflow retrieve a token to invoke the other workflow if needed, heck, you could even use that token to do the push.
- name: Get Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action#v1
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
- name: Use Application Token to create a release
uses: actions/create-release#v1
env:
GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with:
....
A bit of setup is required to register the app and give it the right permissions.
Related
Looking to confirm this is correct way to deal with the problem and if someone has a better idea.
I have the master branch set with protection, so you have PR into it and have signed commits.
I want to automate semver and current use:
- name: Automated Version Bump
id: version-bump
uses: 'phips28/gh-action-bump-version#master'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
skip-commit: 'true'
skip-tag: 'true'
The have it working at present by removing my protection to the branch.
Looks like the solution is to add Allow specified actors to bypass genereate a PAT and use that for the token instead of the GITHUB_TOKEN.
I cant get GITHUB_TOKEN to be excepted in the field manually,
So
first question: Is it possible to GITHUB_TOKEN to the bypass list (Maybe its a variable syntax or something!)
second question: if i need to switch, if this the good solution, to create a new account go though least priv etc?
I resolved this via:
creating a service account user that has read-write access to repo
create a pat for that service account
add the service account to the bypass protection rules in the branch
create a repo secret that contains the PAT token
update the line 'GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}' with the new secret
I'm making a Github Action for the launch of Marketplace.
https://github.com/dooboolab/relay-schema-bot
Can't I use the secret value of the repository when using the Github Action of another repository?
In other words, I want to use the secret value of the repository to be called, not the secret value of the calling side.
I want to do it in a way other than this.
because the secret value of the Jay-flow/relay-schema-bot repository is not used.
name: Relay Schema bot
on:
push:
branches:
- master
paths:
- 'schema.graphql'
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- uses: dooboolab/relay-schema-bot#master
with:
token: ${{ secrets.PAT }}
repo-url: https://github.com/Jay-flow/artifacts-pro
# I don't want to enter it as below.
# because the secret value of the Jay-flow/relay-schema-bot repository is not used.
app-id: ${{ secrets.APP_ID }}
app-private-key: ${{ secrets.APP_PRIVATE_KEY }}
The APP_PRIVATE_KEY value is required to make a pull request from the Github application I created. The problem is that the user should not know this value.
Is there any way to make this possible?
Note
https://github.com/dooboolab/relay-schema-bot/blob/master/src/createPullRequest.ts#L18
This does not seem possible, from the documentation encrypted secret.
either the user of your action is able to provide the secret which will enable said action to create PR on the target repository
or your action might call a dedicated action on that target repo, and said dedicated action would be in charge to return the appropriate secret.
But then, nothing would prevent another user to call the same dedicated action on the target repository: the secret would be a secret no more.
I have a simple Node JS application built in the build directory using yarn and trying to deploy on GitHub Pages using GitHub Actions using crazy-max/ghaction-github-pages#v2 actinon in the simplest form:
- name: Deploy
uses: crazy-max/ghaction-github-pages#v2
with:
target_branch: master
build_dir: build
env:
$GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
(Note I deploy to master because the repository name is equal to the <<username>>.github.io)
To my surprise, it fails on the following error:
Error: You have to provide a GITHUB_TOKEN or GH_PAT
The whole message is not helpful as long as I know the GITHUB_TOKEN is automatically generated with each build.
The repository has the following settings under Action:
Actions permissions: Allow all actions
Fork pull request workflows from outside collaborators: Require approval for first-time contributors
Workflow permissions: Read and write permissions
The whole token and permissions management in GitHub is overkill for simple projects and the documentation lacks sample settings and the reader only goes down the rabbit hole.
How to get this run?
Based on the documentation I'm reading, it looks like you need to remove the leading $ from your environment variable name you are setting
Like this:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Documenation:
https://github.com/crazy-max/ghaction-github-pages
So I've been working on a couple of projects using Github Actions, and have come across PullApprove which is able to get the author_association from somewhere and use it. I'd like to setup some commands, which are restricted to author_association == collaborators, but am unsure how to go about this. Any advice would be appreciated.
Some code if you want it:
name: Command Management
on:
issue_comment:
types: [created, edited]
jobs:
# Automatically reverts commits on request
revert-commit:
runs-on: ubuntu-latest
if: contains(github.event.comment.body, '/revert')
steps:
- name: Checkout
uses: actions/checkout#v2.3.1
- name: Automatic Revert
uses: srt32/revert#v0.0.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
For what it's worth, I can tell you that in PullApprove we use the PR author_assiciation from the REST API. Looks like there is actually a similar thing for issue comments, but not in the REST API or webhook events -- I think you'd have to make a call to the GraphQL API to get that info (get the node_id for the issue comment off of the event and use that to make a call to GraphQL as a custom step in your action?): https://docs.github.com/en/graphql/reference/objects#issuecomment
Currently I have the following code:
name: Build-All
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
build-linux-64:
name: ${{ matrix.config.name }} Build
runs-on: ${{ matrix.config.os }}
strategy:
fail-fast: true
matrix:
config:
- os: ubuntu-latest
name: Ubuntu 64
other_linker_flags: '-m64'
arch: x86_64
output: myLib.so
steps:
- name: Make fake file
run: |
echo "hello" > ${{ github.workspace }}/test.txt
- name: Uploading Release
uses: ollydev/upload-release-action#master
with:
repo_token: XXXXXXXXX
file: '${{ github.workspace }}/test.txt'
asset_name: "test"
tag: autobuild
owner: '${{ github.repo.owner }}'
repo: 'B'
overwrite: true
and two repos: A and B.
Repo A has the above yml jobs and it is a private repo. It has all the code, compiles it, and wants to push the release to repo B which is public.
To do this, I created a new github account My-CI and I added it to both the private repo and the public repo. On that new account, I then created a Personal access token with scope: public_repo
and that's it. The code works.. but is there a way to NOT have to create a separate account just to give it access as a CI to both repos? IE: Is there a way that I can create a token on my real account that is read-only for one repo and read-write for another? OR maybe create a github app token or something that can only upload releases for the one repo (B)?
As you've implied, you can't limit the scope of a personal access token to different scopes for different repos. Theres a few ways of doing this.
Intermediate, public storage
The first is to upload the artifacts to an intermediate place, accessible from anywhere, e.g. Dropbox, Docker Hub, etc. Then you can manually trigger a github action in your public repo to pull this artifact back down and create a release from it. To manually trigger this action you could use the repository_dispatch event either using cURL / postman locally (with an access token auth bearer) or using something like https://www.actionspanel.app/ which is a github app which allows you to manually trigger github actions using repository_dispatch, with parameters so your download link would be a parameter.
Personal access token
The simplest option is still a personal access token though. Your workflow above has repo_token: XXXXXXXXX which makes me wonder if you know about github secrets? Ideally this token would be stored in a secret then accessed using ${{ secrets.BRANDONS_TOKEN }}. I would ask why you are worried about a personal access token. If you use github secrets and are careful about the 3rd party code you pass the token to (you may not want to simply pass your token to #master, for example), it should be fine.
GitHub Apps & Webhooks
GitHub apps or webhooks would be another way, you can authenticate those on a per-person basis and per-repo basis but you'd need an application running online to receive and parse the messages and its quite a big piece of work.
(Probably not) GitHub Deploy Keys
Another thing to be aware of is Github Deploy Keys, you can use these to obtain read/write access to a single repository without an account attached. You would then store this deploy key in a secret in the settings of the other repo. However, I'm not sure you can trigger releases with deploy keys - they are not bound to an account so I'm unsure who's username would be visible on the release history.