-
Notifications
You must be signed in to change notification settings - Fork 341
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci: use Github App token to authenticate #621
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is great @gotmax23 🎉 Thanks for putting this all together.
I really like this approach of using the environment as @webknjaz has suggested too. Seeing all the pieces in place now makes a lot more sense.
I was going to suggest adding a wait timer but that somewhat goes against the point. Maybe we can adjust protection rules after this has been in the wild for a bit on devel
.
One thing I think we should consider before merging though is limiting the environment to protected branches. Does that sound reasonable?
@@ -37,3 +33,5 @@ jobs: | |||
pr-branch: "${{ inputs.pr-branch || 'pip-compile/devel/docs' }}" | |||
nox-args: "-e 'pip-compile-3.10(requirements)' 'pip-compile-3.10(requirements-relaxed)'" | |||
reset-branch: "${{ inputs.reset-branch || false }}" | |||
secrets: inherit | |||
environment: github-bot |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@gotmax23 why is this needed on the calling side?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is apparently needed when using secrets with a reusable workflow.
Sure!
Right.
The job needs to be able to run using the |
This uses the new Ansible Documentation Bot Github app to authenticate with the Github API instead of the limited token built in to Github Actions. The app token allows creating automatic dependency update PRs that trigger CI properly. A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY secrets. Fixes: ansible#382
0158cdd
to
5ad6c72
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think my previous comments can be disregarded. Thanks again for this @gotmax23
Cool. Thanks, @oraNod. I'll merge this now so we can test it and make sure it works. Anything extra can be handled in follow ups. |
This uses the new Ansible Documentation Bot Github app to authenticate with the Github API instead of the limited token built in to Github Actions. The app token allows creating automatic dependency update PRs that trigger CI properly. A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY secrets. Fixes: ansible#382 (cherry picked from commit 1efa06b)
This uses the new Ansible Documentation Bot Github app to authenticate with the Github API instead of the limited token built in to Github Actions. The app token allows creating automatic dependency update PRs that trigger CI properly. A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY secrets. (cherry picked from commit 1efa06b) Fixes: ansible#382
This uses the new Ansible Documentation Bot Github app to authenticate with the Github API instead of the limited token built in to Github Actions. The app token allows creating automatic dependency update PRs that trigger CI properly. A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY secrets. (cherry picked from commit 1efa06b) Fixes: ansible#382
This uses the new Ansible Documentation Bot Github app to authenticate with the Github API instead of the limited token built in to Github Actions. The app token allows creating automatic dependency update PRs that trigger CI properly. A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY secrets. (cherry picked from commit 1efa06b) Fixes: ansible#382
This uses the new Ansible Documentation Bot Github app to authenticate with the Github API instead of the limited token built in to Github Actions. The app token allows creating automatic dependency update PRs that trigger CI properly. A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY secrets. (cherry picked from commit 1efa06b) Fixes: ansible#382
This uses the new Ansible Documentation Bot Github app to authenticate with the Github API instead of the limited token built in to Github Actions. The app token allows creating automatic dependency update PRs that trigger CI properly. A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY secrets. (cherry picked from commit 1efa06b) Fixes: ansible#382
This uses the new Ansible Documentation Bot Github app to authenticate with the Github API instead of the limited token built in to Github Actions. The app token allows creating automatic dependency update PRs that trigger CI properly. A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY secrets. (cherry picked from commit 1efa06b) Fixes: ansible#382
This uses the new Ansible Documentation Bot Github app to authenticate with
the Github API instead of the limited token built in to Github Actions.
The app token allows creating automatic dependency update PRs that
trigger CI properly.
A github-bot environment to store the BOT_APP_ID and BOT_APP_KEY
secrets.
Fixes: #382
For now, I've marked this with
no_backport
so we can test it on devel for abit.