-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
productionize community-ci
workflow
#37404
productionize community-ci
workflow
#37404
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Ignored Deployment
|
This stack of pull requests is managed by Graphite. Learn more about stacking. Join @alafanechere and the rest of your teammates on |
Your free trial has expired. To continue using Ellipsis, sign up at https://app.ellipsis.dev for $20/developer/month. If you have any questions, reach us at help@ellipsis.dev |
13ff71d
to
c83d072
Compare
4df719e
to
d2d622a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This worfklow was not used anywhere
df29d55
to
ba1b38a
Compare
Regarding security, @natikgadzhi and @alafanechere , are you both confident enough in the security profile here that we can relax the GitHub setting to let workflows run freely on fork PRs? We just relaxed on PyAirbyte because this enables users constant feedback on those non-privileged workflows like lint, format, static code tests and non-cred-tests like unit tests. Before bringing in any |
No I am not.
B can be easily mitigated with carefully picked timeouts and concurrency control. In any case I believe this should be a follow up effort. We could start by not requiring secrets for format as it's a smaller lift compared to running unit tests automatically. |
The |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pre-approving to get this moving, caveated on addressing feedback —I hope to have this in soon so we can then cleanup formatting and get @marcosmarxm to be very happy ;)
@@ -10,20 +10,28 @@ inputs: | |||
description: "Path to airbyte-ci source" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How does it work without Python tho!? TIL
if [ "${{ github.event.pull_request.head.repo.fork }}" == "true" ]; then | ||
echo "PR is from a fork. Exiting workflow..." | ||
exit 78 | ||
fi | ||
- name: Checkout Airbyte | ||
uses: actions/checkout@v3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: check if new version of checkout is available. V4 I think?
.github/workflows/community_ci.yml
Outdated
permissions: | ||
statuses: write | ||
env: | ||
MAIN_BRANCH_NAME: "augustin/04-18-community-ci_workflow_prevent_injection" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume this needs to change before we merge?
|
||
# This will sync the .github folder of the main repo with the fork | ||
# This allows us to use up to date actions from the main repo | ||
- name: Pull .github folder from main repository |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, so we want to ensure that they ran new versions of tests and such?
.github/workflows/community_ci.yml
Outdated
context: "pull_request" | ||
dagger_cloud_token: ${{ secrets.DAGGER_CLOUD_TOKEN }} | ||
dagger_cloud_token: ${{ secrets.DAGGER_CLOUD_TOKEN_2 }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why change the token here? How is it related? Is this one specific to community ci?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
DAGGER_CLOUD_TOKEN_2
is the latest version of this secrets which works.
The previous token stopped working when we moved to GHA runners and I don't know why.
I kept both tokens as we did progressive migration from self hosted to GHA runners.
.github/workflows/community_ci.yml
Outdated
docker_hub_password: ${{ secrets.DOCKER_HUB_PASSWORD }} | ||
docker_hub_username: ${{ secrets.DOCKER_HUB_USERNAME }} | ||
gcp_gsm_credentials: ${{ secrets.GCP_GSM_CREDENTIALS }} | ||
gcs_credentials: ${{ secrets.METADATA_SERVICE_PROD_GCS_CREDENTIALS }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain this change a bit? Did we rename the variable before but didn't rename this particular input?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm just aligning the inputs to what is currently declared in the format_check.yml
workflow.
.github/workflows/community_ci.yml
Outdated
subcommand: "connectors --modified test" | ||
is_fork: "true" | ||
|
||
format: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we remove this in favor of @aaronsteers's approach to formatting, given we'll clean that one up?
ba1b38a
to
5cc609a
Compare
5cc609a
to
3023e79
Compare
Suspect IssuesThis pull request was deployed and Sentry observed the following issues:
Did you find this useful? React with a 👍 or 👎 |
Closes https://github.com/airbytehq/airbyte-internal-issues/issues/7315
This PR introduces a new
community_ci.yml
workflow to run connectors tests and format on fork PR.How can this safely work as forks contain untrusted code⁉️
pull_request_target
triggers: it means the worfklow logic is the one hosted on the target branch. The fork can't alter the CI behavior. We can't use thepull_request
event because: it does not provide access to secrets on forks and the workflow logic could be altered by the contribution.community_ci
): the execution of the test and format jobs is conditioned by a human approval from a pool of selected Airbyters. A human review should identify shady activity like secret extraction or resource exhaustion. If the code is deemed safe the Airbyte reviewer can approve the deployment to the environment, which would run CI jobs.Changes
community_ci.yml
workflow from my spike to clean it up and make it work. This is the first thing you should review.airbyte-ci
accept a--git-repo-url
option. This is to enable it to clone forked Airbyte repo to compute the list of modified files.install-airbyte-ci.yml
action to always install the binary when we're on a fork. This will prevent accidentally installingairbyte-ci
from source if something shady is introduced to this tool.community_ci.yml
and the other non fork workflows.Why did you introduce a new workflow and not change the logic of the existing ones⁉️
I felt that introducing a new workflow dedicated to Community CI was simpler to colocate all the specific (and a bit more complex) logic related to running CI on forks.
If we wanted to modify the other workflows to support running on forks it would require changing their trigger from
pull_request
topull_request_target
, which has some drawbacks. It would also introduce a lot more conditional expressions in workflows to check whether we're on a fork.We can consider streamlining workflows to work on fork / non fork in the future, but I first want to unblock the community review use case in a simple and atomic manner.
Demo
Test and format correctly ran in this workflow execution on this fork.
When a push happens on the PR Github displays this button to start the approval flow:
![Screenshot 2024-04-23 at 11 32 47](https://private-user-images.githubusercontent.com/5551758/324787510-b7000e6f-ed04-4e36-9b2c-0392dbb06733.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA0NzI5MDksIm5iZiI6MTcyMDQ3MjYwOSwicGF0aCI6Ii81NTUxNzU4LzMyNDc4NzUxMC1iNzAwMGU2Zi1lZDA0LTRlMzYtOWIyYy0wMzkyZGJiMDY3MzMucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDcwOCUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA3MDhUMjEwMzI5WiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ZDJlZmRhZTI4NDIyZTcyYzBmMjkyZWYyODYxMDlmODJjM2ViNTdiOTQ4YzNkNTQ5ZDFmNDYyMGZmOTRhOWRhNCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.1lGVvdacpah6-QlSF0Sl553WPRlY5WrtXK9L9UfKo60)