I was reading about protected tags and how they can be created
on Github through the Settings tab of a particular repository.
I have a github actions workflow which:
Creates a new release
Since it creates a new release, it also creates a new tag
Uploads files and data to the release
Here is an example of my workflow, which has only some of the key parts.
name: myExample
on:
push:
branches: [ master ]
permissions:
contents: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v3
- name: Set up Python 3.8.3
uses: actions/setup-python#v3
with:
python-version: "3.8.3"
... Some Steps ...
- name: Create Release
id: create_release
uses: actions/create-release#v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{env.VERSION}}
release_name: ${{env.RELEASE_STRING}}
draft: false
prerelease: false
- name: Upload Release Asset 1
id: upload-release-asset-1
uses: actions/upload-release-asset#v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./test.zip
asset_name: test.zip
asset_content_type: application/zip
... Some Steps ...
I imagine I need to primarily focus on the section:
permissions:
contents: write
What do I need to change so that this workflow can write protected tags and generally can work with protected tags?
Currently, my rule for protected tags is:
*
According to this article, it says "GitHub Apps require the Repository administration: write permission to modify a protected tag."
I looked at Github Actions permissions in this article, but I don't see those permissions.
I now thought I need to create a Personal Access Token and use it according to this article and this article. When creating a PAT, I didn't immediately see exactly what was described above with Repository administration: write. Perhaps if I'm an admin or maintainer of the repo, then if I create a PAT with full repo permissions then that would do it, since the token is associated with me who is admin and therefore, I can create a release on the protected branch as an admin. I haven't tested this yet, it is just a theory after searching around.
You can set the permissions at a job level so rather than grant the whole action, you set write and can limit to the job:
version:
permissions: write-all
name: versioning
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v3.3.0
with:
fetch-depth: '0'
- name: Bump version and push tag
uses: anothrNick/github-tag-action#1.61.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DEFAULT_BUMP: patch
WITH_V: "true"
needs: [terraform, security]
You can create a Personal Access Token of your account or one of a technical user and use this token while checking out the repo:
- name: Checkout
uses: actions/checkout#v3
with:
token: ${{ secrets.PAT }}
The used account need to admin of the repo, then you will be able to update the protected tag whithin github action
Related
I noticed that the automated pull requests that I implemented in open source project takes the admin as the one of the pull request. Ideally, if it was open by a bot then github-actions should be the one who opens pull request.
This makes the actions more transparent for everyone. I have not figured out how to change that.
I would suggest using the create-pull-request action. Here is an example:
jobs:
createPullRequest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v3
- name: Make changes to pull request
run: date +%s > report.txt
- name: Create Pull Request
id: cpr
uses: peter-evans/create-pull-request#v4
with:
token: ${{ secrets.PAT }}
commit-message: Update report
committer: GitHub <noreply#github.com>
author: ${{ github.actor }} <${{ github.actor }}#users.noreply.github.com>
signoff: false
branch: example-patches
delete-branch: true
title: '[Example] Update report'
body: |
Update report
- Updated with *today's* date
- Auto-generated by [create-pull-request][1]
[1]: https://github.com/peter-evans/create-pull-request
labels: |
report
automated pr
assignees: peter-evans
reviewers: peter-evans
team-reviewers: |
owners
maintainers
milestone: 1
draft: false
Here is a demonstration:
Is there a way to tell GitHub to automatically create a pull request from an API providing JSON content and merge it into my project?
I want to:
Edit files on a platform (I control the platform) using my own production editors/tools.
Have GitHub request it (REST), then create a PR or a commit, so people can collaborate on it with forks/GitHub project management.
Push from GitHub back to the platform for publishing.
3 is no problem, but 2 I can't find documentation for if it's even possible.
name: Manual workflow
on:
workflow_dispatch:
jobs:
makefiles:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
- uses: actions/checkout#v2
- name: Getting
uses: fjogeleit/http-request-action#master
id: myRequest
with:
url: 'https://domain/api/file'
method: 'GET'
- name: Show File
run: echo ${{ steps.myRequest.outputs.response }}
- name: Create A File
uses: 1arp/create-a-file-action#0.2
with:
path: 'src'
file: 'foo.bar'
content: ${{steps.myRequest.outputs.response}}
- name: final commit
uses: zwaldowski/git-commit-action#v1
id: git_commit
- name: show
run: echo "${{ steps.git_commit.outputs.sha }}"
I have a GitHub Actions workflow implemented on the main branch of my repository which creates a new release of my package in GitHub. Then I have another workflow implemented which should be triggered on the creation of a release. This trigger, however, is not working.
Please note that GitHub abandoned their own actions/create-release#v1 project and advises to use the softprops release action.
My workflow template is as follows:
name: Main release
on:
push:
branches:
- main
jobs:
release:
name: 'Release main'
runs-on: ubuntu-latest
steps:
- name: 'Checkout source code'
uses: 'actions/checkout#v2'
with:
ref: ${{ github.ref }
- name: Release
uses: softprops/action-gh-release#v1
with:
draft: false
body_path: CHANGELOG.md
name: ${{ steps.version.outputs.version }}
tag_name: ${{ github.ref }}
token: ${{ github.token }}
My on:release:created trigger workflow is as follows:
name: Act on release created
on:
release:
types: [created]
jobs:
build:
name: Build
environment: dev_environment
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: Set env
run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
- name: Test
run: |
echo $RELEASE_VERSION
echo ${{ env.RELEASE_VERSION }}
The release and tags are correctly added in GitHub, so everything looks to work fine except that the workflow that should be triggered on the release is not executed.
How do I solve this?
The GitHub Actions documentation on performing tasks in a workflow states the following:
When you use the repository's GITHUB_TOKEN to perform tasks on behalf of the GitHub Actions app, events triggered by the GITHUB_TOKEN will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs.
This means that you will have to create a personal access token and add this token to you repository secrets.
To generate a new personal access token go to your personal developer settings and generate a new token. Then go to your repository settings and add a new secret containing the personal access token, name it i.e. PAT.
In your release workflow template, replace:
token: ${{ github.token }}
With:
token: ${{ secrets.PAT }}
Now the on release created event the workflow will be triggered!
Note: This approach seems is a bit hacky, but is currently the only known workaround for this issue and can be considered a major design flaw of workflow integrations.
As an addendum to the answer given above, I found the workflow_run event trigger to work well for this use case:
on:
workflow_run:
workflows: ["Main release"]
types: [completed]
You can add conditions for various release tags and all if required apart from this.
I'm trying to make it work this action, but I'm confused also whats it's missing in between, before triggering the peter-evans PR.
The scenario is pretty simple, I like on push, on any feature/* branch, to create automatically PR, but instead I'm getting weird scenario, where develop changes are applied on top of the feature/* branch. Can someone give me hints on this?
name: Pull Request Action
on:
push:
branches:
- feature/*
jobs:
create-pull-request:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout#v2
with:
fetch-depth: 0
ref: develop
- name: Create Pull Request
uses: peter-evans/create-pull-request#v3.10.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: Simple demo
title: '[Example] Simple demo'
body: >
This PR is auto-generated by
[create-pull-request](https://github.com/peter-evans/create-pull-request).
labels: feature, automated pr
branch: feature/workflow-demo
Just posting this as an alternative solution. If you don't want to use any 3rd party actions you can achieve this with actions/github-script, it will just require a bit more coding.
As this stands, the action will error if there is already an open PR for the feature branch. If this is an issue you could check of an existing PR with the github.rest.pulls.list method, filtering by both head and base so it will only return one or no PRs.
name: Pull Request Action
on:
push:
branches:
- feature/*
jobs:
create-pull-request:
runs-on: ubuntu-latest
steps:
- name: Create Pull Request
uses: actions/github-script#v6
with:
script: |
const { repo, owner } = context.repo;
const result = await github.rest.pulls.create({
title: '[Example] Simple demo',
owner,
repo,
head: '${{ github.ref_name }}',
base: 'develop',
body: [
'This PR is auto-generated by',
'[actions/github-script](https://github.com/actions/github-script).'
].join('\n')
});
github.rest.issues.addLabels({
owner,
repo,
issue_number: result.data.number,
labels: ['feature', 'automated pr']
});
I know this question is a year old now and asking about the create-pull-request action, but for those that would rather not use third-party actions, Github actions now support Github command line natively, if you use Github hosted runners. See: Using Github CLI in Workflows
This makes it super easy to create a pull request using the gh pr create command
Something like this:
steps:
- name: create pull request
run: gh pr create -B base_branch -H branch_to_merge --title 'Merge branch_to_merge into base_branch' --body 'Created by Github action'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Reading through the readme, the action by Peter Evans doesn't fit what you're trying to achieve. But you can use repo-sync's pull-request action:
name: Pull Request Action
on:
push:
branches:
- feature/*
jobs:
create-pull-request:
runs-on: ubuntu-latest
steps:
- name: Check out repository code
uses: actions/checkout#v2
- name: pull-request
uses: repo-sync/pull-request#v2
with:
destination_branch: "develop"
github_token: ${{ secrets.GITHUB_TOKEN }}
pr_label: "feature, automated pr"
pr_title: "[Example] Simple demo"
You might need to specify the base branch there:
- name: Create Pull Request
uses: peter-evans/create-pull-request#v3.10.1
with:
token: ${{ secrets.GH_TOKEN }}
commit-message: Auto Pull Request
title: Your desired title
body: Auto-created Pull Request
branch: ${{ github.ref }} # The branch where you commit
base: develop # Don't forget to specify the right base branch here
I have this and it creates the PR when it does not exist. I remember it didn't work exactly right at the beginning until I specified myself base and branch values, which are not very clear in the docs.
I want to use Github actions to transfer files to a remote server via SFTP (only option for this server) when I push up to Github.
I am using this Action https://github.com/marketplace/actions/ftp-deploy
I have created a file in my repo in .github/workflows/main.yml and I have added:
on: push
name: Publish Website
jobs:
FTP-Deploy-Action:
name: FTP-Deploy-Action
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2.1.0
with:
fetch-depth: 2
- name: FTP-Deploy-Action
uses: SamKirkland/FTP-Deploy-Action#3.1.1
with:
ftp-server: ${{ secrets.FTP_SERVER }}
ftp-username: ${{ secrets.FTP_USERNAME }}
ftp-password: ${{ secrets.FTP_PASSWORD }}
I have created a Secret for this repo which contains the following:
FTP_SERVER: sftp.server.com, FTP_USERNAME: user, FTP_PASSWORD: password
I can see the action running in Github but it errors out on the FTP-Deploy-Action task.
##[error]Input required and not supplied: ftp-server
This is in secrets and does work with Filezilla.
Would anyone know if I've set this up wrongly?
I was able to get it working on my own repo. I think the issue may be possibly on how your secrets were setup. That error usually shows when required parameters of a github action were not provided so curious if the keys are different or whether they were saved as empty. I would delete FTP_SERVER secret and create it again to be sure.
Workflow Success Run
Workflow Code
- name: FTP-Deploy-Action
uses: SamKirkland/FTP-Deploy-Action#3.1.1
with:
ftp-server: ${{ secrets.FTP_SERVER }}
ftp-username: ${{ secrets.FTP_USERNAME }}
ftp-password: ${{ secrets.FTP_PASSWORD }}
local-dir: toupload
UPDATE: Added example per comment left below,
Example secret creation for reference. Basically create a secret per entry rather than comma separated grouped secret
Source: https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets