I'm making a Github Action for the launch of Marketplace.
https://github.com/dooboolab/relay-schema-bot
Can't I use the secret value of the repository when using the Github Action of another repository?
In other words, I want to use the secret value of the repository to be called, not the secret value of the calling side.
I want to do it in a way other than this.
because the secret value of the Jay-flow/relay-schema-bot repository is not used.
name: Relay Schema bot
on:
push:
branches:
- master
paths:
- 'schema.graphql'
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- uses: dooboolab/relay-schema-bot#master
with:
token: ${{ secrets.PAT }}
repo-url: https://github.com/Jay-flow/artifacts-pro
# I don't want to enter it as below.
# because the secret value of the Jay-flow/relay-schema-bot repository is not used.
app-id: ${{ secrets.APP_ID }}
app-private-key: ${{ secrets.APP_PRIVATE_KEY }}
The APP_PRIVATE_KEY value is required to make a pull request from the Github application I created. The problem is that the user should not know this value.
Is there any way to make this possible?
Note
https://github.com/dooboolab/relay-schema-bot/blob/master/src/createPullRequest.ts#L18
This does not seem possible, from the documentation encrypted secret.
either the user of your action is able to provide the secret which will enable said action to create PR on the target repository
or your action might call a dedicated action on that target repo, and said dedicated action would be in charge to return the appropriate secret.
But then, nothing would prevent another user to call the same dedicated action on the target repository: the secret would be a secret no more.
Related
Can I trigger a new workflow from another workflow?
I'm trying to run a workflow after the first workflow has pushed a new release and it seems to ignore it.
Found the answer here:
An action in a workflow run can't trigger a new workflow run. For example, if an action pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.
EDIT:
The quote above might be confusing. When I add a Personal Access Token (PAT) to the checkout action with repo permissions granted (and not repository's GITHUB_TOKEN), the following commands DO trigger other workflows:
- name: Checkout Repo
uses: actions/checkout#v2
with:
token: ${{ secrets.PAT_TOKEN }}
(In my case, running semnatic-release after this checkout, which creates a new release with a new tag - did trigger another workflow that runs only if a tag was created)
As described here, you can trigger another workflow using the workflow_run event.
For example we could think of two workflow definitions like this (the only prerequisite is, that both reside in the same repository - but I'am sure, there's also an event for other repos as well):
release.yml
name: CI release
on: [push]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: Release artifact
run: ...
do-something-different.yml
name: Do anything after the release of the first workflow
on:
workflow_run:
workflows: ["CI release"]
types:
- completed
jobs:
notify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: Do something
run: ...
A crucial point here is that the name: CI release definition of the first yaml file must exactly match the workflow_run: workflows: ["CI release"] definition in the second yaml file. Another point is that this approach needs to be done on the default branch (which is mostly main or master) as the docs state:
Note: This event will only trigger a workflow run if the workflow file
is on the default branch.
If you don't want to use a general Personal Access Token (which has access to all of your repos), you can generate a dedicated SSH keypair for this purpose and add it to the repository as a Deploy Key. This is done as follows:
Generate an SSH keypair:
ssh-keygen -N "" -f deploy_key -C "github-actions"
Add the private key (generated file deploy_key) as an encryped secret, e.g. COMMIT_KEY to the GitHub project.
Add the public key (generated file deploy_key.pub) as a deploy key with write access to the GitHub project. Tick the Allow write access checkbox.
When checking out the source code in your workflow, add the SSH key:
- name: Checkout
uses: actions/checkout#v3
with:
ssh-key: "${{secrets.COMMIT_KEY}}"
Subsequent push actions in the same workflow will then trigger any configured GitHub workflow as if they were pushed manually.
I have a workflow, that does some modifications on the repository, and pushes it, expecting the push workflow to start. Now I know that the intended way in the documentation suggests me creating a PAT, but that seems like a hacky solution to me, since the whole build procedure is tied to my account being active and having necessary permissions.
It also expects my account to have push access to my main branches, which I don't want to have. I want to operate through PRs.
Do I have any other options? Do I need to create a my-github-bot account in my org and create a PAT for that? All these options seem too hacky compared to just having a switch to enable workflow triggering with the default ${{ secrets.GITHUB_TOKEN }}
The workflow that pushes can also use the workflow_dispatch trigger on the second workflow to start the other workflow. Either by doing a REST call or by including a call gh:
gh workflow run {{workflow.yaml}} --ref {{sha}} --repo {{owner/repo}}
Or use one of the available actions to invoke the workflow after your push step.
For example:
- name: Invoke workflow with inputs
uses: benc-uk/workflow-dispatch#v1
with:
workflow: Another Workflow
You can also use a GitHub app, there's a special action for that. You grant the app the permissions to invoke the workflow and then let the workflow retrieve a token to invoke the other workflow if needed, heck, you could even use that token to do the push.
- name: Get Token
id: get_workflow_token
uses: peter-murray/workflow-application-token-action#v1
with:
application_id: ${{ secrets.APPLICATION_ID }}
application_private_key: ${{ secrets.APPLICATION_PRIVATE_KEY }}
- name: Use Application Token to create a release
uses: actions/create-release#v1
env:
GITHUB_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
with:
....
A bit of setup is required to register the app and give it the right permissions.
So I've been working on a couple of projects using Github Actions, and have come across PullApprove which is able to get the author_association from somewhere and use it. I'd like to setup some commands, which are restricted to author_association == collaborators, but am unsure how to go about this. Any advice would be appreciated.
Some code if you want it:
name: Command Management
on:
issue_comment:
types: [created, edited]
jobs:
# Automatically reverts commits on request
revert-commit:
runs-on: ubuntu-latest
if: contains(github.event.comment.body, '/revert')
steps:
- name: Checkout
uses: actions/checkout#v2.3.1
- name: Automatic Revert
uses: srt32/revert#v0.0.1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
For what it's worth, I can tell you that in PullApprove we use the PR author_assiciation from the REST API. Looks like there is actually a similar thing for issue comments, but not in the REST API or webhook events -- I think you'd have to make a call to the GraphQL API to get that info (get the node_id for the issue comment off of the event and use that to make a call to GraphQL as a custom step in your action?): https://docs.github.com/en/graphql/reference/objects#issuecomment
Problem: We use github actions workflow for CI and we have many github repositories. I need to be able change everything repeatable for every repository at once.
Is it possible to use in github action workflow yml file some snippet that located mb in different repository.
You can include other public and local actions in your workflow, which lets you reuse common steps. Using versioned actions with {owner}/{repo}#{ref}:
steps:
- uses: actions/setup-node#74bc508 # Reference a specific commit
- uses: actions/setup-node#v1 # Reference the major version of a release
- uses: actions/setup-node#v1.2 # Reference a minor version of a release
- uses: actions/setup-node#master # Reference a branch
..or local actions with ./path/to/dir:
jobs:
my_first_job:
steps:
- name: Check out repository
uses: actions/checkout#v2
- name: Use local my-action
uses: ./.github/actions/my-action
https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsuses
One way of doing this is having a central CICD / GitHub actions repository with shared workflows which are triggered on repository_dispatch events.
on:
repository_dispatch:
types:
- your_event
jobs:
job1:
name: Do something
runs-on: ubuntu-latest
env:
SOURCE_BRANCH: ${{ github.event.client_payload.source_branch }}
SOURCE_REPO: ${{ github.event.client_payload.source_repo }}
# do all your stuff
Then in each github repo you write a small workflow file which outlines the triggers for the local repo, pushing to master / opening a PR etc. That action simply dispatches a repository_dispatch event to your central CICD repo with the repo and branchname it came from.
name: Trigger external CICD
on:
push:
branches:
- master
jobs:
trigger_cicd:
name: Trigger external CICD
runs-on: ubuntu-latest
steps:
- name: Send repository_dispatch event
uses: peter-evans/repository-dispatch#v1
with:
token: ${{ secrets.CICD_GITHUB_TOKEN }}
repository: yourorg/centralcicdrepo
event-type: ${{ env.EVENT_TYPE }}
client-payload: '{"source_branch": "${{ github.ref }}", "source_repo": "${{ github.repository }}" }'
One gotcha is that you need an access token to talk between repos, in the above example it's added as a secret called CICD_GITHUB_TOKEN. The easiest is to just use your own account but this will label all your central CICD runs as 'triggered by you'. You can also create a bot account or you can have each developer add their access tokens as secrets then map the right author to the right access token.
There is currently (Feb. 3, 2021) no supported method for reusing workflows or snippets from a centralized repository. There are hacks, as Michael Parker has cleverly demonstrated, but these come with significant downsides (eg. observability, opacity, etc.).
I've written this blog post that describes the problem you have in more detail, along with an open-source solution.
––
Similar topics:
DRYing GH Actions workflows
External workflow configuration
Bringing this issue to GH's attention:
Raise this issue with GH
GH Roadmap item
So I'm quite new to Github actions and trying to implement an action in a workflow.
I need to clone/checkout repo_2 into where my workflow is located, repo_1. Both are private repos.
It looks like this
job:
name: Cloning private repo
runs-on: ubuntu-latest
steps:
- name: Cloning
uses: actions/checkout#v1
with:
repository: my-username/repo_2
token: ${{ secrets.PAT }}
I created a PAT and added it as a secret key to repo_2. However whenever I run the workflow I get the following error:
[error]fatal: repository 'https://github.com/my-username/repo_2/' not
found
Seems to me like the authentication couldn't be verified. Is this what's happening? How do I fix it?