Improve custom workflow documentation and add an example #319
Conversation
This makes it more obvious what the syntax is to add them Multiple branches is likely a common usecase for this workflow on flathub
This requires some non-obvious configuration to work correctly, so this seems suitable here. Originally I had thought to keep only one actual copy pastable workflow, but since some options like persist-credentials: false strictly only belong in the fork repository workflow, I thought it was more helpful to keep 2 workflows so each use case can copy paste easily.
| EMAIL: 41898282+github-actions[bot]@users.noreply.github.com | ||
| GITHUB_TOKEN: ${{ secrets.BOT_USER_SECRET }} # replace this with the name of the GitHub Secret where you store the PAT of the user you wish to fork the repo and create PRs | ||
| with: | ||
| args: --update --always-fork $PATH_TO_MANIFEST # e.g. com.organization.myapp.json |
There was a problem hiding this comment.
You don't strictly need --always-fork since the script will check whether it has push access to the main repo, and use a fork if not.
But I can see it is good for documentation value.
There was a problem hiding this comment.
Yeah, I did for documentation value especially since the other example uses --never-fork
README.md
Outdated
| GIT_AUTHOR_NAME: Flatpak External Data Checker | ||
| GIT_COMMITTER_NAME: Flatpak External Data Checker | ||
| # email sets "github-actions[bot]" as commit author, see https://github.community/t/github-actions-bot-email-address/17204/6 | ||
| GIT_AUTHOR_EMAIL: 41898282+github-actions[bot]@users.noreply.github.com |
There was a problem hiding this comment.
These seem suspicious to me. You're providing a GITHUB_TOKEN corresponding to some real user. You should be using (a placeholder for) that user's email address.
There was a problem hiding this comment.
Agreed, I also changed the suggested name to match the email address given by the user for consistency.
|
Hmm, in what case one would want to push updates through a fork of a repo? |
|
The original use case was that the Endless instance of this bot did not have write access to the Flathub repos it monitored. But that use case is long gone! |
As mentioned in the suggested README:
I mostly wanted this since some repos may not want to give bots push access to their real repo. If the bot only has the ability to push to a fork and make PRs (like a normal user on GitHub would), it avoids bad things being pushed to the repo in case the bot was compromised or buggy. |
…uires some non-obvious configuration to work correctly, so this seems suitable here. Originally I had thought to keep only one actual copy pastable workflow, but since some options like persist-credentials: false strictly only belong in the fork repository workflow, I thought it was more helpful to keep 2 workflows so each use case can copy paste easily.
vchernin
force-pushed
the
improve-workflow-forks-documentation
branch
from
11cb17e
to
2a889f4
Compare
Well, I believe this was intended for local or otherwise external f-e-d-c runs. If it's running from a GH workflow, I fail to understand why create a fork. Besides, a fork forces you to use a PAT, which are worse than automatic
What's the bot in this case? If you mean the flathubbot, it has access to all flathub app repos anyway. And if it's a GH workflow in a non-flathub repo, then it's controlled by the repo owner anyway. |
Yes the automatic GITHUB_TOKENs are one time use and certainly more ideal over a permanent one. But there is still a use case for using a PAT for a seperate user…
The use case I had in mind was to create a dummy bot user, for a non Flathub repo. Yes the workflow is controlled by the repo owner, but that doesn’t prevent f-e-d-c or any other tool in the workflows from one day updating and being buggy, or other otherwise misusing their permission. By forcing the tool to push to a fork, it cannot change anything in the real repo without a reviewer accepting a PR from the bot user. Giving permanent access to the PAT of a whole user is not ideal, but if the PAT is leaked the consequences are in my opinion not as severe compared to giving bots push access, as it is only a dummy bot user. It never had write access to anything but its own forked repo. Of course, that is only if users are following the recommendation to not use the dummy user for anything important. Perhaps something like a GitHub app that can be added to the repo would serve this use case better than a PAT, but I’m not really familiar with how they work. |
|
Well, I guess someone may want such setup for some reason, but it's certainly something way too unusual to be worth adding to the readme, especially with a full-blown example workflow manifest. It will only add confusion. |
Yeah this is inevitable with adding more examples. What do you think of splitting these workflows, perhaps putting this new one in a separate file, and then adding something like:
below the original example in the main readme?
I still think it is somewhat useful to document given |
|
Honestly, I think it's not worth documenting with example at all. People doing something this uncommon probably either shouldn't need any examples, or shouldn't be doing it. So, I believe mentioning the |
By this you mean adding an additional line about |
Yes, I think this should be enough for this option. |
This adds an example in case wanting f-e-d-c to fork a repository to make PRs.