I would like to use a GitHub action/do some config that automatically requests a review from a team in a GitHub organization (for example core). I know that you can create pull request templates that automatically request a review from a certain reviewer but how do I do this without creating a template? In summary, I would like to have a team in GitHub core automatically requested a review for each PR opened. How do I do this?
In general, this is a good use case for the code owners feature: you could have a file .github/CODEOWNERS that looks like
* #yourorg/core
This requires a review from that team on any pull request opened.
However, this requires the team to have write permissions on the repository, and (as per comments) the intention is to not give this team write permissions.
With the team having only "triage" permissions, this could be achieved with the following workflow:
name: Request review on PRs
on:
pull_request:
types:
- opened
jobs:
request:
name: Request reviews on opened PRs
runs-on: ubuntu-20.04
steps:
- name: Create PR review request
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh pr edit ${{ github.event.pull_request.html_url }} \
--add-reviewer yourorg/core
This runs on each opened pull request and creates a review request from the yourorg/core team using the pr edit command of the GitHub CLI, which is pre-installed on the virtual environments.
Related
GitLab has an extremely useful feature called Review Apps which allows you to start up an instance of the web app from every PR which has its own subdomain and is linked on the PR page. I have done some searching and I don't see anything quite like it for GitHub.
Are there any ways to achieve a similar thing on github? 3rd party services are fine if they can integrate in with github. The app has a docker compose config so it would be just starting up an instance on a VM and shutting it down later.
The closest would be Delivering deployments/Deployment API, as described in the article "Deploy your pull requests with GitHub Actions and GitHub Deployments" from Sander Knape.
You can see its workflow here.
But the point is: there is not a directly integrated "review" deployment process like GitLab: you need to write your own GitHub workflow in order to deploy on a GitHub-managed Azure-based server, starting with:
deploy:
runs-on: ubuntu-latest
needs: deploy-check
if: needs.deploy-check.outputs.triggered == 'true'
steps:
- name: get pull request ref
id: get_pull_request_ref
uses: octokit/request-action#v2.x
with:
route: GET /repos/:repository/pulls/:issue_id
repository: ${{ github.repository }}
issue_id: ${{ github.event.issue.number }}
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
I have a simple Node JS application built in the build directory using yarn and trying to deploy on GitHub Pages using GitHub Actions using crazy-max/ghaction-github-pages#v2 actinon in the simplest form:
- name: Deploy
uses: crazy-max/ghaction-github-pages#v2
with:
target_branch: master
build_dir: build
env:
$GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
(Note I deploy to master because the repository name is equal to the <<username>>.github.io)
To my surprise, it fails on the following error:
Error: You have to provide a GITHUB_TOKEN or GH_PAT
The whole message is not helpful as long as I know the GITHUB_TOKEN is automatically generated with each build.
The repository has the following settings under Action:
Actions permissions: Allow all actions
Fork pull request workflows from outside collaborators: Require approval for first-time contributors
Workflow permissions: Read and write permissions
The whole token and permissions management in GitHub is overkill for simple projects and the documentation lacks sample settings and the reader only goes down the rabbit hole.
How to get this run?
Based on the documentation I'm reading, it looks like you need to remove the leading $ from your environment variable name you are setting
Like this:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Documenation:
https://github.com/crazy-max/ghaction-github-pages
I have a repository which contains deploy keys. I want a workflow job which periodically checks whether any of the deploy keys are reaching their maximum allowed age before they must be rotated. I tried writing a workflow like this, using the GITHUB_TOKEN, but it looks like it doesn't have the necessary privileges. My repository belongs to a GitHub Organization.
name: Check age of repository deploy key
# This workflow is triggered on pushes to the repository.
on:
push:
schedule:
# Runs 06:00 every day
- cron: '0 6 */1 * *'
jobs:
expiry_check:
env:
DEPLOY_KEY_METADATA_URL: https://api.github.com/repos/my_org/my_repo/keys
DEPLOY_KEY_MAX_AGE: 3600*24*365 # 1 year
# This job runs on Linux
runs-on: ubuntu-latest
steps:
# GitHub repository checkout
- name: GitHub repository checkout
uses: actions/checkout#v1
- name: Check if any deploy keys are approaching their expiry data
run: |
python3 -c "import requests;import sys;url=sys.argv[1];token=sys.argv[2];r=requests.get(url, headers={'Authorization': f'Bearer {token}'});print(r.text)" $DEPLOY_KEY_METADATA_URL ${{ secrets.GITHUB_TOKEN }}
The response to my API request has this error: {"message":"Resource not accessible by integration","documentation_url":"https://docs.github.com/rest/reference/repos#list-deploy-keys"}
Is there some other solution to this problem, besides personal access tokens and GitHub Apps? The first option is not feasible; business logic can't break when an employee leaves the GitHub Organization. I suppose I could make a GitHub App, but I'd rather avoid that too, if I can. I'm not an admin in my GitHub Organization.
Currently I have the following code:
name: Build-All
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
build-linux-64:
name: ${{ matrix.config.name }} Build
runs-on: ${{ matrix.config.os }}
strategy:
fail-fast: true
matrix:
config:
- os: ubuntu-latest
name: Ubuntu 64
other_linker_flags: '-m64'
arch: x86_64
output: myLib.so
steps:
- name: Make fake file
run: |
echo "hello" > ${{ github.workspace }}/test.txt
- name: Uploading Release
uses: ollydev/upload-release-action#master
with:
repo_token: XXXXXXXXX
file: '${{ github.workspace }}/test.txt'
asset_name: "test"
tag: autobuild
owner: '${{ github.repo.owner }}'
repo: 'B'
overwrite: true
and two repos: A and B.
Repo A has the above yml jobs and it is a private repo. It has all the code, compiles it, and wants to push the release to repo B which is public.
To do this, I created a new github account My-CI and I added it to both the private repo and the public repo. On that new account, I then created a Personal access token with scope: public_repo
and that's it. The code works.. but is there a way to NOT have to create a separate account just to give it access as a CI to both repos? IE: Is there a way that I can create a token on my real account that is read-only for one repo and read-write for another? OR maybe create a github app token or something that can only upload releases for the one repo (B)?
As you've implied, you can't limit the scope of a personal access token to different scopes for different repos. Theres a few ways of doing this.
Intermediate, public storage
The first is to upload the artifacts to an intermediate place, accessible from anywhere, e.g. Dropbox, Docker Hub, etc. Then you can manually trigger a github action in your public repo to pull this artifact back down and create a release from it. To manually trigger this action you could use the repository_dispatch event either using cURL / postman locally (with an access token auth bearer) or using something like https://www.actionspanel.app/ which is a github app which allows you to manually trigger github actions using repository_dispatch, with parameters so your download link would be a parameter.
Personal access token
The simplest option is still a personal access token though. Your workflow above has repo_token: XXXXXXXXX which makes me wonder if you know about github secrets? Ideally this token would be stored in a secret then accessed using ${{ secrets.BRANDONS_TOKEN }}. I would ask why you are worried about a personal access token. If you use github secrets and are careful about the 3rd party code you pass the token to (you may not want to simply pass your token to #master, for example), it should be fine.
GitHub Apps & Webhooks
GitHub apps or webhooks would be another way, you can authenticate those on a per-person basis and per-repo basis but you'd need an application running online to receive and parse the messages and its quite a big piece of work.
(Probably not) GitHub Deploy Keys
Another thing to be aware of is Github Deploy Keys, you can use these to obtain read/write access to a single repository without an account attached. You would then store this deploy key in a secret in the settings of the other repo. However, I'm not sure you can trigger releases with deploy keys - they are not bound to an account so I'm unsure who's username would be visible on the release history.
I have a file in a GitHub repository that needs updating occasionally by running a command.
As part of a GitHub Workflows, I want to have a bot running a command, and seeing if it creates a diff on the repo, and if so, make a pull request to the repository automatically.
I have a suspicion that the GitHub Workflows can help me do that as GitHub now lets people run arbitrary containers ("Actions") that do stuff like builds in a repository. I see some official automation workflows that let you "label" and "comment" issues etc here: https://github.com/actions/starter-workflows/tree/master/automation
If I wanted to run an arbitrary command and make a PR to the repository, which GitHub Actions should I be looking at instead of reinventing my own Actions? Any pointers are appreciated.
I made a GitHub Action that I think will help you with this use case.
https://github.com/peter-evans/create-pull-request
create-pull-request action needs to be run in conjunction with other actions or steps that modify or add files to your repository. The changes will be automatically committed to a new branch and a pull request created.
Here is an example that sets most of the main inputs.
on:
repository_dispatch:
types: [create-pull-request]
name: Create Pull Request
jobs:
createPullRequest:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: Create report file
run: date +%s > report.txt
- name: Create Pull Request
uses: peter-evans/create-pull-request#v3
with:
token: ${{ secrets.GITHUB_TOKEN }}
commit-message: Add report file
committer: Peter Evans <peter-evans#users.noreply.github.com>
body: |
New report
- Contains *today's* date
- Auto-generated by [create-pull-request][1]
[1]: https://github.com/peter-evans/create-pull-request
title: '[Example] Add report file'
labels: report, automated pr
assignees: peter-evans
reviewers: peter-evans
milestone: 1
branch: example-patches
To make it bot-like you can trigger the workflow periodically.
on:
schedule:
- cron: '*/5 * * * *'
Alternatively, you can set the workflow to trigger via webhook, as in the example above.
on:
repository_dispatch:
types: [create-pull-request]
To trigger the workflow call the following. [username] is a GitHub username. [token] is a repo scoped token. [repository] is the name of the repository the workflow resides in.
curl -XPOST -u "[username]:[token]" -H "Accept: application/vnd.github.everest-preview+json" -H "Content-Type: application/json" https://api.github.com/repos/[username]/[repository]/dispatches --data '{"event_type": "create-pull-request"}'
For further examples check out the documentation here.