Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce usage of admin token #545

Closed
wants to merge 6 commits into from
Closed

Reduce usage of admin token #545

wants to merge 6 commits into from

Conversation

blink1073
Copy link
Contributor

@blink1073 blink1073 commented Dec 27, 2023
edited

  • Add a separate personal_access_token that is only used for the direct push to the target branch, otherwise use the user's token.
  • Add docs that recommend the use of a fine-grained access token in an environment for publish_release
  • Add test for pr ci trigger and personal access token
  • Test against a scratch repo

@blink1073 blink1073 added the enhancement New feature or request label Dec 27, 2023
@jtpio jtpio mentioned this pull request Jan 3, 2024
Merged
2 tasks
@blink1073
Copy link
Contributor Author

blink1073 commented Jan 14, 2024
edited

Okay, it turns out this truly isn't possible if branch protections are on. You get something like:

remote: error: GH006: Protected branch update failed for refs/heads/main.
remote: error: Changes must be made through a pull request. Required status check "test" is expected.

Even if the user running the workflow is an admin.

https://github.com/blink1073/test-python-project/actions/runs/7521308670/job/20471980190

@blink1073
Copy link
Contributor Author

Back to the drawing board:

  • Each org enables Fine-grained personal access tokens.
  • Each repo has an admin-managed scoped access token that must expire every 90 days
  • Any admin can go and create a new access token (or regenerate the old one) and update the secret in the repo

@blink1073 blink1073 changed the title Avoid usage of admin token Reduce usage of admin token Jan 15, 2024
@blink1073
Copy link
Contributor Author

TODO: remove personal_access_token in favor of using an environment secret and using the same token for the whole publish step - this makes things easier on both ends, and the token is still needed either way.

@ElioDiNino
Copy link
Contributor

Is there any way to get the current workflows to work while branch protections are enabled? I can't seem to get it working since skipping just the commit with the changelog and package.json update is coupled with the new tag push.

@blink1073
Copy link
Contributor Author

Hi @ElioDiNino, if you ADMIN_GITHUB_TOKEN has admin permissions on the repo and you haven't selected this option it should work:

image

@ElioDiNino
Copy link
Contributor

Hi @ElioDiNino, if you ADMIN_GITHUB_TOKEN has admin permissions on the repo and you haven't selected this option it should work:

image

Hmm okay, I will try disabling that thanks. I am actually using a GitHub app and generating a token for it in place of using a PAT so that may also be causing issues

@blink1073
Copy link
Contributor Author

This picked up some conflicts and has some work that needs to be removed, going to start a fresh PR.

@blink1073 blink1073 closed this Feb 10, 2024
@blink1073 blink1073 deleted the no-admin-token branch February 10, 2024 13:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@blink1073 @ElioDiNino