.github/workflows: add action to update tapioca definitions

[issyl0]

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew tests with your changes locally?

---

This is a test of the changes of #8233, but raised from a branch on the main repo, not from a fork, so that the Actions run has access to the secrets. Let's see if it works!

We're expecting to see a PR raised by BrewTestBot.

[vidusheeamoli]

Generating split RBIs into sorbet/rbi/hidden-definitions/
fatal: ambiguous argument 'Library/Homebrew/sorbet': unknown revision or path not in the working tree.
Use '--' to separate paths from revisions, like this:
'git <command> [<revision>...] -- [<file>...]'
Switched to a new branch 'tapioca-update-2020-08-10'
fatal: could not read Username for 'https://github.com': No such device or address
##[error]Process completed with exit code 128.

Is this related to GITHUB_TOKEN?

[issyl0]

Still the same problem where we can't push even from a not-forked PR. It's trying to push over HTTPS, which requires a GitHub username and a personal access token. We've got the token, which should work fine (tho I can't see what scopes it has). I wonder if there's a way to specify the username. Or we could git remote set-url git@github.com... to force SSH. 🤔

[issyl0]

Oh good, at least this is a different error!

[issyl0]

OK, so we're getting further, it's trying to push, has the right credentials, but can't push:

Switched to a new branch 'tapioca-update-2020-08-10'
fatal: refs/remotes/origin/HEAD cannot be resolved to branch

🤯

[jonchang]

You can't push to BrewTestBot's repository using GITHUB_TOKEN.

[jonchang]

This existing workflow already works, so you should be able to copy what it's doing without much modification: https://github.com/Homebrew/brew/blob/master/.github/workflows/spdx.yml

[issyl0]

@jonchang We're trying to push to Homebrew/brew branch tapioca-.... We've basically copied the License workflow (the only changes are the Sorbet lines, now I've reset to what @vidusheeamoli had originally). So I'm confused as to how that works but this doesn't.

[issyl0]

From @Bo98 in Slack:

I see your issue - you are running the action in the context of a pull request. You cannot push to origin that way - that would be a security exploit. You must test the action another way (e.g. wait for the scheduled event).

We'll have to merge this (or preferably #8233) as-is and wait three days - which shouldn't be a problem given it's the same as the License Action and we know the commands work.

[jonchang]

Because this new workflow is triggered on the push event, it will run on any pull requests affecting that file. You still can't push to origin from a pull request due to security reasons. So the workflow needs to be broken up into two separate steps:

1. Do the type checking and updating of sorbet files
2. Run git commit, git push

Step 2 needs to be restricted where the GITHUB_REF is master, so it won't try to push when running against a pull request.

[jonchang]

I just noticed this: also need to use actions/checkout since that will automatically set the right permissions to push to origin, using the default GITHUB_TOKEN.

[dawidd6]

actions/checkout won't work well with Homebrew/actions/setup-homebrew. I would propose using Homebrew/actions/git-try-push for pushing the branch.

[MikeMcQuaid]

Step 2 needs to be restricted where the GITHUB_REF is master, so it won't try to push when running against a pull request.

This isn't quite right. It's fine to run on push on Homebrew/brew and push events aren't triggered from fork pull requests.

[issyl0]

After much head-scratching (thanks so much to everyone who offered their opinions!), this finally generated a PR! 🎉 Here it is: #8361

I had to remove the date specifier for the branch as I couldn't set it dynamically to the current date in the git-try-push params, so we should set "automatically delete HEAD branches" in this repo's settings if it's not already on (I don't have enough powers to see or set it). Then every three days it'll use a clean branch to run the Tapioca stuff and raise a PR from. I think we're good at merging things fast enough to get the PR dealt with within three days!

I'll leave this open for a bit so people can check it's not doing anything weird, or if people have ideas for improvements.

EDIT: One thing I notice is CI doesn't appear to have triggered on the above test PR.

[reitermarkus]

One thing I notice is CI doesn't appear to have triggered on the above test PR.

Yeah, I don't think CI is triggered by @github-actions. We had the same problem here: Homebrew/homebrew-cask-fonts#2253 (comment)

[jonchang]

I had to remove the date specifier for the branch as I couldn't set it dynamically to the current date in the git-try-push params, so we should set "automatically delete HEAD branches" in this repo's settings if it's not already on (I don't have enough powers to see or set it).

Does setting an output variable and using it as a substitution like ${{ steps.id.output.branch }} work?

[issyl0]

To summarise the current status of this:

• Pushing works with GITHUB_TOKEN.
• Opening a PR works with GITHUB_TOKEN.
• PRs raised by github-actions[bot] don't trigger CI, so the PR isn't mergeable. Using HOMEBREW_GITHUB_API_TOKEN to (I assume) raise the PR as BrewTestBot doesn't authenticate properly.
• Need to test if we can get date-specific branch names with the workaround that Jon suggested.

[dawidd6]

I'm not sure HOMEBREW_GITHUB_API_TOKEN secret is available in this repo. Had the same issue in Homebrew/actions. Someone with higher access level would need to check and enable it for this repo if it isn't. IIRC this secret is available in org settings, but I might be wrong.

[issyl0]

Ohh. I thought I pulled that as an example from the License action, but it turns out that I read the line wrong and it's the other way around.

Either way, we want to raise PRs as BrewTestBot, I think, so we'll need some other token than the Actions built-in one.

[MikeMcQuaid]

I had to remove the date specifier for the branch as I couldn't set it dynamically to the current date in the git-try-push params, so we should set "automatically delete HEAD branches" in this repo's settings if it's not already on (I don't have enough powers to see or set it). Then every three days it'll use a clean branch to run the Tapioca stuff and raise a PR from. I think we're good at merging things fast enough to get the PR dealt with within three days!

I think it would be nice to use some sort of unique branch identifier OR to force-push to the existing branch name if there's changes rather than failing the workflow.

I'm not sure HOMEBREW_GITHUB_API_TOKEN secret is available in this repo.

It is not. If someone can let me know what rights it needs: I can add it.

[MikeMcQuaid]

Suggested change

	cd "$GITHUB_WORKSPACE/Library/Homebrew"
	bundle install
	bundle exec tapioca sync --exclude json
	bundle exec srb rbi hidden-definitions
	if ! git diff --exit-code -- sorbet; then
	cd "$GITHUB_WORKSPACE/Library/Homebrew"
	bundle install
	bundle exec tapioca sync --exclude json
	bundle exec srb rbi hidden-definitions
	if ! git diff --exit-code -- sorbet; then

I presume this can all be done by #8289? If not: it'd be good to add so a single command can be run.

[issyl0]

@vidusheeamoli How would you feel about integrating these Tapioca update commands into brew typecheck?

[vidusheeamoli]

@issyl0 On it!

[issyl0]

[HOMEBREW_GITHUB_API_TOKEN] is not [set]. If someone can let me know what rights it needs: I can add it.

We need this Action to be able to use a BrewTestBot PAT to push commits to a branch of this repo and raise PRs. That is, public_repo.

[Bo98]

PRs raised by github-actions[bot] don't trigger CI

Why is this the case?

[reitermarkus]

@Bo98, I think it's to avoid recursive actions. You cannot trigger actions with the default GITHUB_TOKEN.

[MikeMcQuaid]

@vidusheeamoli @issyl0 Check out https://github.com/Homebrew/formulae.brew.sh/blob/master/.github/workflows/scheduled.yml and https://github.com/Homebrew/rubydoc.brew.sh/blob/master/.github/workflows/scheduled.yml. I've updated them recently to use Homebrew's actions as much as possible and they should just need use the @BrewTestBot token (as mentioned above).

[MikeMcQuaid]

It's working: #8420