Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: use Github App token to authenticate #621

Merged
merged 1 commit into from
Oct 17, 2023
Merged

ci: use Github App token to authenticate #621

merged 1 commit into from
Oct 17, 2023

Conversation

gotmax23
Copy link
Collaborator

This uses the new Ansible Documentation Bot Github app to authenticate with
the Github API instead of the limited token built in to Github Actions.
The app token allows creating automatic dependency update PRs that
trigger CI properly.
A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY
secrets.

Fixes: #382

For now, I've marked this with no_backport so we can test it on devel for a
bit.

@gotmax23 gotmax23 added no_backport This PR should not be backported. devel only. tooling This PR affects tooling (CI, pr_labeler, noxfile, linters, etc.) but not the docs builds themselves. labels Oct 16, 2023
@github-actions github-actions bot added the needs_triage Needs a first human triage before being processed. label Oct 16, 2023
oraNod
oraNod reviewed Oct 17, 2023
View reviewed changes
Copy link
Contributor

@oraNod oraNod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great @gotmax23 🎉 Thanks for putting this all together.

I really like this approach of using the environment as @webknjaz has suggested too. Seeing all the pieces in place now makes a lot more sense.

I was going to suggest adding a wait timer but that somewhat goes against the point. Maybe we can adjust protection rules after this has been in the wild for a bit on devel.

One thing I think we should consider before merging though is limiting the environment to protected branches. Does that sound reasonable?

webknjaz
webknjaz reviewed Oct 17, 2023
View reviewed changes
.github/workflows/pip-compile-docs.yml
@@ -37,3 +33,5 @@ jobs:
pr-branch: "${{ inputs.pr-branch || 'pip-compile/devel/docs' }}"
nox-args: "-e 'pip-compile-3.10(requirements)' 'pip-compile-3.10(requirements-relaxed)'"
reset-branch: "${{ inputs.reset-branch || false }}"
secrets: inherit
environment: github-bot
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gotmax23 why is this needed on the calling side?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is apparently needed when using secrets with a reusable workflow.

@gotmax23
Copy link
Collaborator Author

This is great @gotmax23 🎉 Thanks for putting this all together.

Sure!

I was going to suggest adding a wait timer but that somewhat goes against the point. Maybe we can adjust protection rules after this has been in the wild for a bit on devel.

Right.

One thing I think we should consider before merging though is limiting the environment to protected branches. Does that sound reasonable?

The job needs to be able to run using the pull_request_target trigger, and I'm not sure how that'd work with environment protection. We can test it after merging I guess. The environment branch protection is mainly there if it's being used for CD and you only want to allow deployments from certain branches. We're not using it for that.

@gotmax23
ci: use Github App token to authenticate
5ad6c72 
This uses the new Ansible Documentation Bot Github app to authenticate with
the Github API instead of the limited token built in to Github Actions.
The app token allows creating automatic dependency update PRs that
trigger CI properly.
A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY
secrets.

Fixes: ansible#382
@gotmax23 gotmax23 changed the title ci pip-compile: Use Github App token to authenticate ci: Use Github App token to authenticate Oct 17, 2023
@gotmax23 gotmax23 changed the title ci: Use Github App token to authenticate ci: use Github App token to authenticate Oct 17, 2023
@samccann samccann removed the needs_triage Needs a first human triage before being processed. label Oct 17, 2023
oraNod
oraNod approved these changes Oct 17, 2023
View reviewed changes
Copy link
Contributor

@oraNod oraNod left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think my previous comments can be disregarded. Thanks again for this @gotmax23

@gotmax23
Copy link
Collaborator Author

Cool. Thanks, @oraNod. I'll merge this now so we can test it and make sure it works. Anything extra can be handled in follow ups.

@gotmax23 gotmax23 merged commit 1efa06b into ansible:devel Oct 17, 2023
8 checks passed
gotmax23 added a commit to gotmax23/ansible-documentation that referenced this pull request Oct 17, 2023
@gotmax23
ci: use Github App token to authenticate (ansible#621)
866dcad 
This uses the new Ansible Documentation Bot Github app to authenticate with
the Github API instead of the limited token built in to Github Actions.
The app token allows creating automatic dependency update PRs that
trigger CI properly.
A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY
secrets.

Fixes: ansible#382
(cherry picked from commit 1efa06b)
gotmax23 added a commit to gotmax23/ansible-documentation that referenced this pull request Oct 17, 2023
@gotmax23
ci: use Github App token to authenticate (ansible#621)
0637da5 
This uses the new Ansible Documentation Bot Github app to authenticate with
the Github API instead of the limited token built in to Github Actions.
The app token allows creating automatic dependency update PRs that
trigger CI properly.
A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY
secrets.

(cherry picked from commit 1efa06b)

Fixes: ansible#382
gotmax23 added a commit to gotmax23/ansible-documentation that referenced this pull request Oct 17, 2023
@gotmax23
ci: use Github App token to authenticate (ansible#621)
ada3237 
This uses the new Ansible Documentation Bot Github app to authenticate with
the Github API instead of the limited token built in to Github Actions.
The app token allows creating automatic dependency update PRs that
trigger CI properly.
A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY
secrets.

(cherry picked from commit 1efa06b)

Fixes: ansible#382
This was referenced Oct 18, 2023
Closed
Open
gotmax23 added a commit to gotmax23/ansible-documentation that referenced this pull request Oct 26, 2023
@gotmax23
ci: use Github App token to authenticate (ansible#621)
a3df1d3 
This uses the new Ansible Documentation Bot Github app to authenticate with
the Github API instead of the limited token built in to Github Actions.
The app token allows creating automatic dependency update PRs that
trigger CI properly.
A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY
secrets.

(cherry picked from commit 1efa06b)

Fixes: ansible#382
gotmax23 added a commit to gotmax23/ansible-documentation that referenced this pull request Oct 26, 2023
@gotmax23
ci: use Github App token to authenticate (ansible#621)
2f6ca1d 
This uses the new Ansible Documentation Bot Github app to authenticate with
the Github API instead of the limited token built in to Github Actions.
The app token allows creating automatic dependency update PRs that
trigger CI properly.
A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY
secrets.

(cherry picked from commit 1efa06b)

Fixes: ansible#382
gotmax23 added a commit to gotmax23/ansible-documentation that referenced this pull request Dec 5, 2023
@gotmax23
ci: use Github App token to authenticate (ansible#621)
df59a19 
This uses the new Ansible Documentation Bot Github app to authenticate with
the Github API instead of the limited token built in to Github Actions.
The app token allows creating automatic dependency update PRs that
trigger CI properly.
A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY
secrets.

(cherry picked from commit 1efa06b)

Fixes: ansible#382
gotmax23 added a commit to gotmax23/ansible-documentation that referenced this pull request Dec 5, 2023
@gotmax23
ci: use Github App token to authenticate (ansible#621)
259c563 
This uses the new Ansible Documentation Bot Github app to authenticate with
the Github API instead of the limited token built in to Github Actions.
The app token allows creating automatic dependency update PRs that
trigger CI properly.
A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY
secrets.

(cherry picked from commit 1efa06b)

Fixes: ansible#382
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webknjaz webknjaz webknjaz left review comments

@oraNod oraNod oraNod approved these changes

Assignees
No one assigned
Labels
no_backport This PR should not be backported. devel only. tooling This PR affects tooling (CI, pr_labeler, noxfile, linters, etc.) but not the docs builds themselves.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix CI triggering on dependency update PRs
4 participants
@gotmax23 @webknjaz @oraNod @samccann