Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Automatically update protos #1027

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Automatically update protos #1027

wants to merge 10 commits into from

Conversation

yaakov-h
Copy link
Member

@yaakov-h yaakov-h commented Oct 2, 2021

Here's quick late-night hack: use GitHub Actions to automatically update our protos regularly.

(I picked Sunday morning in my time zone, I think.)

The complication here is that the repository's automatic GITHUB_TOKEN can push code and create the pull request, but that will not trigger subsequent Actions - i.e. building and testing the new code.

IMO that part is pretty important - we need to know at a glance if a protobuf update contains any breaking changes, we can't blindly merge them if they remove or rename something that we're using.

The recommendation from the various docs I've come across is to use a Personal Access Token (PAT) from either a particular developer (to whom all the PRs will be attributed to), or a new Machine Account.

According to the GitHub user terms, everyone can create at most one actual personal account plus one Machine Account, which is basically a personal account used solely for automation.

Does anyone have a machine account that we can re-use for this, or do I need to create a new one?

# TODO: We need a new GitHub Machine Account (or maybe an existing one?) to generate a PAT that we can use as the token here
# otherwise, our new changes will not trigger further Actions (on:push or on:pull_request, i.e. CI/CD builds).
#- name: Create Pull Request
# uses: peter-evans/[email protected]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I haven't played with GH actions much - but what does security look like for a third-party action that is fed a PAT?

Does pinning the action to a specific version guarantee it to be immutable?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure that we have a machine account around (I definitely don't have one), so we'll want to create one - and share creds among the core team?

The PAT will definitely need to be limited in scope to just creating PRs, if that's doable.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can provide a full commit hash as the version afaik.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be that pull requests created when run by cron shouldn't require a PAT.

Note: If you want pull requests created by this action to trigger an on: push or on: pull_request workflow then you cannot use the default GITHUB_TOKEN.

FWIW, adding permissions section is worthwhile:
contents: write
pull-requests: write

# title: Update protobufs
# body: |
# - Update protobufs
# branch: auto/protobufs
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Configure branch-suffix as well? Not sure what happens if the branch already exists and this action tries to create it again.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Commit all changes to a new branch, or update an existing pull request branch.

It should update the existing branch, which is good, there's no reason to spam branches/prs for each update.

branches:
- yaakov/auto-protos # temporary trigger during development
#schedule:
#- cron: '0 17 * * SUN'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just dropping a comment for this to be uncommented once we're ready to merge.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can also add workflow_dispatch: to be able to manually trigger this from UI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants