Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open update deps PRs from galaxybot's fork #11795

Merged
merged 1 commit into from
Apr 7, 2021
Merged

Open update deps PRs from galaxybot's fork #11795

merged 1 commit into from
Apr 7, 2021

Conversation

nsoranzo
Copy link
Member

@nsoranzo nsoranzo commented Apr 6, 2021

What did you do?

  • Modified the "Update dependencies" GitHub workflow to open PRs using galaxybot's Personal Access Token (which needs to be created and added as a secret by a repository admin) from its own galaxy repository fork.

Why did you make this change?

Pull requests created by an action (in this case create-pull-request) using the default GITHUB_TOKEN cannot trigger other workflows, see https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#triggering-further-workflow-runs

Using a machine account like galaxybot that creates pull requests from its own fork is the most secure workaround, see https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#push-pull-request-branches-to-a-fork

How to test the changes?

(select the most appropriate option; if the latter, provide steps for testing below)

  • I've included appropriate automated tests.
  • This is a refactoring of components with existing test coverage.
  • Instructions for manual testing are as follows:
    1. Be a repository admin
    2. Create a Personal Access Token for the galaxybot user and add it to this repository as the GALAXYBOT_PAT secret
    3. Merge and wait for Saturday :)

License

@nsoranzo
Open update deps PRs from galaxybot's fork
8ef6405 
Pull requests created by an action (in this case `create-pull-request`)
using the default `GITHUB_TOKEN` cannot trigger other workflows, see
https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#triggering-further-workflow-runs

Using a machine account like galaxybot that creates pull requests from its
own fork is the most secure workaround, see
https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#push-pull-request-branches-to-a-fork
@github-actions github-actions bot added this to the 21.05 milestone Apr 6, 2021
@jdavcs
Copy link
Member

jdavcs commented Apr 7, 2021

So now someone with admin access to the galaxybot machine account needs to set this up?

@nsoranzo
Copy link
Member Author

nsoranzo commented Apr 7, 2021

So now someone with admin access to the galaxybot machine account needs to set this up?

Yes, exactly.

@martenson martenson self-assigned this Apr 7, 2021
@martenson
Copy link
Member

@nsoranzo what scope does the PAT need?

@martenson
Copy link
Member

the secret is in place, I gave it the full repo scope as explained here: https://github.com/peter-evans/create-pull-request/blob/master/docs/concepts-guidelines.md#push-pull-request-branches-to-a-fork

@nsoranzo
Copy link
Member Author

nsoranzo commented Apr 7, 2021

Thanks @martenson , I think that's what needed.

@nsoranzo nsoranzo merged commit 6c30f0f into galaxyproject:dev Apr 7, 2021
@nsoranzo nsoranzo deleted the update_dep_prs_from_fork branch April 7, 2021 14:25
@nsoranzo nsoranzo mentioned this pull request Nov 14, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdavcs jdavcs jdavcs approved these changes

Assignees

@martenson martenson

Labels
area/dependencies area/testing kind/enhancement
Projects
None yet
Milestone
21.05
Development

Successfully merging this pull request may close these issues.
3 participants
@nsoranzo @jdavcs @martenson