ci: refactor commit_verification so it works on PRs from forks#35113
ci: refactor commit_verification so it works on PRs from forks#35113bryangingechen wants to merge 3 commits intoleanprover-community:masterfrom
Conversation
github-actions
bot
added
the
CI
PR summary ca1d0aeba0Import changes for modified filesNo significant changes to the import graph Import changes for all files
Declarations diffNo declarations were harmed in the making of this PR! 🐙 You can run this locally as follows## summary with just the declaration names:
./scripts/declarations_diff.sh <optional_commit>
## more verbose report:
./scripts/declarations_diff.sh long <optional_commit>The doc-module for No changes to technical debt.You can run this locally as
|
| if: steps.check.outputs.has_special == 'true' && steps.verify.outputs.success == 'false' | ||
| run: | | ||
| echo "::error::Commit verification failed. See PR comment for details." | ||
| exit 1 |
There was a problem hiding this comment.
We should still exit the job with an error in this case, no?
There was a problem hiding this comment.
Well, I'm not sure if GitHub will show the downstream workflow in the PR with a red cross, or if people even look at that or only the comment (in other words: is it important to fail?)
There was a problem hiding this comment.
Yeah, we can't exit this one with an error if we want the comment to be posted. (Well we could change the conditional in the workflow_run job so that it also runs if this job failed, but then we'd be mixing up other failures as well.) I think relying on the comment rather than the status of this job should be fine, although maybe a bit confusing. Happy to change if others think otherwise though!
There was a problem hiding this comment.
I think relying on the comment rather than the status of this job should be fine
I definitely don't know what the customs are around this, so if this is what is going on already, ignore my comment, of course :)
There was a problem hiding this comment.
This has been addressed, hasn't it? I see the exit 1 still present in the changes.
| require_event: pull_request | ||
| fail_on_missing: false | ||
| extract: | | ||
| pr_number=meta.pr_number |
There was a problem hiding this comment.
Do you need to plumb pr_number? github.event.workflow_run.pull_requests[0].number seems to be available
There was a problem hiding this comment.
I wasn't aware of that field, but upon searching it seems that it might not be available for PRs from forks? https://github.com/orgs/community/discussions/170144
There was a problem hiding this comment.
Ah, okay. I think it's okay to get it from the bridge, but then maybe remove the github.event.workflow_run.pull_requests[0].number from the concurrency thingy above
| - name: Emit bridge artifact | ||
| if: steps.check.outputs.has_special == 'true' | ||
| uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v4 | ||
| uses: leanprover-community/privilege-escalation-bridge/emit@v1 |
There was a problem hiding this comment.
Is this only passing/parsing a JSON and some packaged payload from one workflow to the other? If so, I'd rename it to something more generic like workflow-pipe or workflow-bridge. Also a good candidate to host in a "ci-scripts" repository...
There was a problem hiding this comment.
Yeah, more or less. I decided to make the name somewhat scary as a reminder that the main reason we're using this is to run workflows with more permissions so we should pay attention to security when using it.
There was a problem hiding this comment.
I see! Personally I would still name it based on what it does rather than where we mean to use it -- I can think of 'communication' uses for this already beyond 'privilege escalation' (e.g., the separate-cache-job thing I was working on -- though arguably this is a sort of privilege escalation, or for example pushing some bridge-artifact that is then consumed by the 'send-to-telemetry' workflow!), it looks like a really neat little mechanism (and I'm surprised there's not a standard action for this already).
But I don't have strong feelings on this, so let's go ahead with this :) Maybe if we make a "CI utilities" repo we can migrate the action there and rename it appropriately
There was a problem hiding this comment.
not completely sure, but I think this has been addressed, hasn't it?
| source_workflow: Commit Verification | ||
| expected_head_sha: ${{ github.event.workflow_run.head_sha }} | ||
| require_event: pull_request | ||
| fail_on_missing: false |
There was a problem hiding this comment.
fail_on_missing here presumably means 'when artifact is missing'? But we should not continue if that's the case, right?
There was a problem hiding this comment.
If there are no special commits, the preceding workflow will succeed but not pass on an artifact, so I don't think we should fail the step here; I tried to make it pass and then just skip everything afterwards.
There was a problem hiding this comment.
Maybe we should pass an 'empty' artifact (namely only 'metadata for the bridge')? This way 'empty artifact' is always 'something weird happened', and the happy case can just be signalled with the same bridge-mechanism
| verify: | ||
| name: Verify Transient and Automated Commits | ||
| runs-on: ubuntu-latest | ||
| if: ${{ github.event.workflow_run.conclusion == 'success' }} |
There was a problem hiding this comment.
Related to my other comment where we should fail the original one, in that case we should run still run on failure here but fail or not depending on the contents of the payload
|
@bryangingechen I left some more comments but to your discretion, it looks pretty good to me either way |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| ref: master | ||
| path: master-branch |
There was a problem hiding this comment.
I've been calling this tools-branch in my recent refactors, to make it very explicit that we only check it out to get scripts and stuff
There was a problem hiding this comment.
@bryangingechen is this a suggestion which could be applied here easily? Seems reasonable to strive for consistency
joneugster
left a comment
joneugster
left a comment
There was a problem hiding this comment.
@bryangingechen it looks like there are still some suggestions by Marcelo to consider.
Some of them sound like you could also decide to declare them out-of-scope for this fix and leave them for a future clean-up, but I'm adding awaiting-author to give you the option to address these
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| ref: master | ||
| path: master-branch |
There was a problem hiding this comment.
@bryangingechen is this a suggestion which could be applied here easily? Seems reasonable to strive for consistency
| - name: Emit bridge artifact | ||
| if: steps.check.outputs.has_special == 'true' | ||
| uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v4 | ||
| uses: leanprover-community/privilege-escalation-bridge/emit@v1 |
There was a problem hiding this comment.
not completely sure, but I think this has been addressed, hasn't it?
| if: steps.check.outputs.has_special == 'true' && steps.verify.outputs.success == 'false' | ||
| run: | | ||
| echo "::error::Commit verification failed. See PR comment for details." | ||
| exit 1 |
There was a problem hiding this comment.
This has been addressed, hasn't it? I see the exit 1 still present in the changes.
joneugster
added
the
awaiting-author
3 participants
Currently the commit verification workflow fails when run on a PR from a fork because it tries to post a comment, but its GITHUB_TOKEN is read-only. Example failure
This PR refactors the commit verification workflow using the new leanprover-community/privilege-escalation-bridge, splitting it into two workflows where the second one (triggered by
workflow_runhas access to a GITHUB_TOKEN that can post comments).We also make the workflow run the commit verification scripts from
masterrather than the PR branch to close a small security issue where someone could spoof verification / get the workflow to post arbitrary comments by modifying the scripts in their branch.Prepared with codex.