ci: use Github App token to authenticate by gotmax23 · Pull Request #621 · ansible/ansible-documentation

gotmax23 · 2023-10-16T20:35:05Z

This uses the new Ansible Documentation Bot Github app to authenticate with
the Github API instead of the limited token built in to Github Actions.
The app token allows creating automatic dependency update PRs that
trigger CI properly.
A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY
secrets.

Fixes: #382

For now, I've marked this with no_backport so we can test it on devel for a
bit.

oraNod

This is great @gotmax23 🎉 Thanks for putting this all together.

I really like this approach of using the environment as @webknjaz has suggested too. Seeing all the pieces in place now makes a lot more sense.

I was going to suggest adding a wait timer but that somewhat goes against the point. Maybe we can adjust protection rules after this has been in the wild for a bit on devel.

One thing I think we should consider before merging though is limiting the environment to protected branches. Does that sound reasonable?

webknjaz · 2023-10-17T10:15:04Z

      nox-args: "-e 'pip-compile-3.10(requirements)' 'pip-compile-3.10(requirements-relaxed)'"
      reset-branch: "${{ inputs.reset-branch || false }}"
+    secrets: inherit
+    environment: github-bot


@gotmax23 why is this needed on the calling side?

This is apparently needed when using secrets with a reusable workflow.

gotmax23 · 2023-10-17T11:58:24Z

This is great @gotmax23 🎉 Thanks for putting this all together.

Sure!

I was going to suggest adding a wait timer but that somewhat goes against the point. Maybe we can adjust protection rules after this has been in the wild for a bit on devel.

Right.

One thing I think we should consider before merging though is limiting the environment to protected branches. Does that sound reasonable?

The job needs to be able to run using the pull_request_target trigger, and I'm not sure how that'd work with environment protection. We can test it after merging I guess. The environment branch protection is mainly there if it's being used for CD and you only want to allow deployments from certain branches. We're not using it for that.

This uses the new Ansible Documentation Bot Github app to authenticate with the Github API instead of the limited token built in to Github Actions. The app token allows creating automatic dependency update PRs that trigger CI properly. A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY secrets. Fixes: ansible#382

oraNod

I think my previous comments can be disregarded. Thanks again for this @gotmax23

gotmax23 · 2023-10-17T19:35:19Z

Cool. Thanks, @oraNod. I'll merge this now so we can test it and make sure it works. Anything extra can be handled in follow ups.

This uses the new Ansible Documentation Bot Github app to authenticate with the Github API instead of the limited token built in to Github Actions. The app token allows creating automatic dependency update PRs that trigger CI properly. A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY secrets. Fixes: ansible#382 (cherry picked from commit 1efa06b)

This uses the new Ansible Documentation Bot Github app to authenticate with the Github API instead of the limited token built in to Github Actions. The app token allows creating automatic dependency update PRs that trigger CI properly. A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY secrets. (cherry picked from commit 1efa06b) Fixes: ansible#382

gotmax23 added no_backport This PR should not be backported. devel only. tooling This PR affects tooling (CI, pr_labeler, noxfile, linters, etc.) but not the docs builds themselves. labels Oct 16, 2023

gotmax23 requested review from oraNod and webknjaz October 16, 2023 20:35

github-actions Bot added the needs_triage Needs a first human triage before being processed. label Oct 16, 2023

oraNod reviewed Oct 17, 2023

View reviewed changes

Comment thread .github/workflows/labeler.yml

webknjaz reviewed Oct 17, 2023

View reviewed changes

gotmax23 force-pushed the github-app-auth branch from 0158cdd to 5ad6c72 Compare October 17, 2023 14:43

gotmax23 changed the title ~~ci pip-compile: Use Github App token to authenticate~~ ci: Use Github App token to authenticate Oct 17, 2023

gotmax23 changed the title ~~ci: Use Github App token to authenticate~~ ci: use Github App token to authenticate Oct 17, 2023

samccann removed the needs_triage Needs a first human triage before being processed. label Oct 17, 2023

oraNod approved these changes Oct 17, 2023

View reviewed changes

gotmax23 merged commit 1efa06b into ansible:devel Oct 17, 2023

This was referenced Oct 18, 2023

pr_labeler: new contributor welcome is borked #204

Closed

annotations gotmax23/ansible-documentation#14

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: use Github App token to authenticate#621

ci: use Github App token to authenticate#621
gotmax23 merged 1 commit into
ansible:develfrom
gotmax23:github-app-auth

gotmax23 commented Oct 16, 2023

Uh oh!

oraNod left a comment

Uh oh!

Uh oh!

webknjaz Oct 17, 2023

Uh oh!

gotmax23 Oct 17, 2023

Uh oh!

gotmax23 commented Oct 17, 2023

Uh oh!

oraNod left a comment

Uh oh!

gotmax23 commented Oct 17, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

gotmax23 commented Oct 16, 2023

Uh oh!

oraNod left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

webknjaz Oct 17, 2023

Choose a reason for hiding this comment

Uh oh!

gotmax23 Oct 17, 2023

Choose a reason for hiding this comment

Uh oh!

gotmax23 commented Oct 17, 2023

Uh oh!

oraNod left a comment

Choose a reason for hiding this comment

Uh oh!

gotmax23 commented Oct 17, 2023

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants