Support SSH keys for pushing tags #49
Conversation
christopher-dG
force-pushed
the
cdg/ssh
branch
from
a2e12e3
to
8dd6ab5
Compare
|
Managed to find a bit of time, it's working as expected on my machine and I can't think of anything that would cause it to break in the Actions environment. @ericphanson or @DilumAluthge could you be my guinea pigs and try enabling this feature for any upcoming releases? |
|
Will do! Do I need to do anything to update the workflow, or does it automatically draw from the master branch here? (Besides adding the ssh deploy key, I mean). |
|
Nope, |
|
I tagged a patch release to test this out and try to get some stable docs; did not work out: https://github.com/ericphanson/UnbalancedOptimalTransport.jl/commit/146998c0fa5e2dd66b9d06f0e9a7865309c218a3/checks?check_suite_id=404143684 (I reused my documenter deploy key, but I thought that should be fine) |
|
Thanks for the report 🙂 That actually seems to be a random network failure... care to hit retry (or just wait 20 minutes)? |
|
Ah, good to know! Let’s see what the next round brings then. |
|
Ok, I made the secret and retriggered. Gotta go for a bit but I'll be back later. |
|
Hm, that's puzzling. By all means it should be working... I'll look at this again tomorrow if I have a chance. |
|
Ah, I think it's my fault. The documenter key is base64 encoded. I added a separate deploy key for tagbot and the corresponding secret. I'm seeing weird errors now both for tagbot and CI ( |
|
Hmm, failed again with the same error... Not really sure why. (https://github.com/ericphanson/UnbalancedOptimalTransport.jl/commit/d39b2cacb74858f9650329856ee99dc320c9d1c4/checks?check_suite_id=404648088) |
|
I think I fixed it! We'll see in an hour... |
|
Got past the previous error and onto a new one! An "invalid key format". Is the key secret still a base64 private key that comes out of |
|
I believe I've squashed the bug... https://serverfault.com/a/960647 |
|
I believe that is why Documenter base64-encodes the key, to get a one-line key. |
|
That seems like a good idea. I added the ability to recognize those keys too so that they can be reused for TagBot. |
|
Thanks for the fix; using the TAGBOT_KEY I added resulted in failures, but switching back to the base64-encoded DOCUMENTER_KEY and retriggering tagbot caused it to work successfully and tag the release. That in turn successfully caused github ci (due to the trigger So I'm actually still not really sure what's needed in order to make github ci + tagbot + documenter work properly. |
|
The docs deployment looks like an unknown host issue with SSH (which is the exact issue that we saw first with TagBot): https://github.com/ericphanson/UnbalancedOptimalTransport.jl/runs/395589862#step:5:79 Which seems like it was mentioned in JuliaDocs/Documenter.jl#625 but the resolution seems to be "manage your known hosts file yourself" (whereas with TagBot we chose the less secure resolution of disabling the host key check). Also it's interesting that using the unencoded key still fails, I'll have to look into that. If I can't get it to work then I'm cool with just requiring the keys to be encoded in the same manner as Documenter. Oh and one more thing: the docs build is actually a push event (the push of the tag), not a release (the token that created the release can't trigger events). So you can remove the release event from your CI workflow if you want. |
|
Thanks very much for the diagnosis :). Hmm, secure seems good but I’m not really sure how to add to the known hosts in this setting, or if they will be stable. Do you think my next step would be to ask on that documenter issue? |
|
This seems to be the way to go https://stackoverflow.com/questions/13363553/git-error-host-key-verification-failed-when-connecting-to-remote-repository#29380765 I'll try that in TagBot in a while. But yes for the Documenter part, you can ask about it there or just do the keyscan in a step before the docs. |
It works! Just needed to add a Finally, stable docs :). Thanks very much for the help. |
Closes #47
Closes #48
I haven't tested this on a real repo yet but it should work. I'm going on holiday so I might not get around to those tests until around Monday/Tuesday.