-
Notifications
You must be signed in to change notification settings - Fork 494
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automatically update protos #1027
base: master
Are you sure you want to change the base?
Conversation
# TODO: We need a new GitHub Machine Account (or maybe an existing one?) to generate a PAT that we can use as the token here | ||
# otherwise, our new changes will not trigger further Actions (on:push or on:pull_request, i.e. CI/CD builds). | ||
#- name: Create Pull Request | ||
# uses: peter-evans/[email protected] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't played with GH actions much - but what does security look like for a third-party action that is fed a PAT?
Does pinning the action to a specific version guarantee it to be immutable?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure that we have a machine account around (I definitely don't have one), so we'll want to create one - and share creds among the core team?
The PAT will definitely need to be limited in scope to just creating PRs, if that's doable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can provide a full commit hash as the version afaik.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be that pull requests created when run by cron shouldn't require a PAT.
Note: If you want pull requests created by this action to trigger an on: push or on: pull_request workflow then you cannot use the default GITHUB_TOKEN.
FWIW, adding permissions
section is worthwhile:
contents: write
pull-requests: write
# title: Update protobufs | ||
# body: | | ||
# - Update protobufs | ||
# branch: auto/protobufs |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Configure branch-suffix
as well? Not sure what happens if the branch already exists and this action tries to create it again.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Commit all changes to a new branch, or update an existing pull request branch.
It should update the existing branch, which is good, there's no reason to spam branches/prs for each update.
branches: | ||
- yaakov/auto-protos # temporary trigger during development | ||
#schedule: | ||
#- cron: '0 17 * * SUN' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just dropping a comment for this to be uncommented once we're ready to merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can also add workflow_dispatch:
to be able to manually trigger this from UI.
Here's quick late-night hack: use GitHub Actions to automatically update our protos regularly.
(I picked Sunday morning in my time zone, I think.)
The complication here is that the repository's automatic GITHUB_TOKEN can push code and create the pull request, but that will not trigger subsequent Actions - i.e. building and testing the new code.
IMO that part is pretty important - we need to know at a glance if a protobuf update contains any breaking changes, we can't blindly merge them if they remove or rename something that we're using.
The recommendation from the various docs I've come across is to use a Personal Access Token (PAT) from either a particular developer (to whom all the PRs will be attributed to), or a new Machine Account.
According to the GitHub user terms, everyone can create at most one actual personal account plus one Machine Account, which is basically a personal account used solely for automation.
Does anyone have a machine account that we can re-use for this, or do I need to create a new one?