-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci(secrets): allow ci to use gh package secrets #149
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This makes sense, but we'll want to guard against unauthorized access to secrets using the safe-to-test
label used in other repos:
https://github.com/cryostatio/cryostat/blob/7ec485552750296463d19ad9075347badc60c312/.github/workflows/pr-ci.yml#L29
We'll also need to revise the repo and ref that gets checked out for PRs:
https://github.com/cryostatio/cryostat-operator/blob/1a02ba82282cec37931b9993970dc416c0e1d08a/.github/workflows/ci.yaml#L45-L46
Signed-off-by: Max Cao <macao@redhat.com>
Signed-off-by: Max Cao <macao@redhat.com>
Whoops: https://github.com/cryostatio/cryostat-agent/actions/runs/5279418179/jobs/9550060578 The This repo doesn't currently have a split definition for push-ci vs pr-ci, so I think it'll need that done too. |
This is how @tthvo worked around it in the operator CI: https://github.com/cryostatio/cryostat-operator/blob/1a02ba82282cec37931b9993970dc416c0e1d08a/.github/workflows/ci.yaml#L41 |
That's a good solution too, that way it keeps the single definition but has that conditional check only when applied to a PR run. |
Fixes #126
Not sure if it works because my fork doesn't own a gh repo token that is authenticated for use for pulling a
-core
dependency - does the fix make sense?