Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Github Action for pushing forks to upstream #2143

Merged
merged 3 commits into from Jun 22, 2021
Merged

Github Action for pushing forks to upstream #2143

merged 3 commits into from Jun 22, 2021

Conversation

scholtzan
Copy link
Collaborator

@scholtzan scholtzan commented Jun 21, 2021
edited

This wraps the git-push-fork-to-upstream-branch script into a Github Action. The CircleCI config has been updated to have a failing tasks for forks that will show instructions of how to trigger the Github Actions so that integration tests will get executed for forks.

I successfully tested this approach in this repository: https://github.com/scholtzan/gh-actions-test

The main advantage here is that we don't have to share secrets with forks, however it might be a little unintuitive.

Another option that came to mind that we could try:

  • All environment variables (our secrets) get moved into a restricted context
  • The setup is essentially the same as described here: Bug 1681899 - Update and re-enable size check CI job glean.js#422 (comment)
  • When sharing secrets also SSH keys are being shared, so we'd need to remove deploy keys from the repository settings and move them to environment variables managed by the restricted context
    • The CircleCI config would need to be rewritten to use the SSH keys from the environment variable

This seems a little less safe since it would require sharing secrets with forks (although if set up correctly it should not pose a security problem). Also not sure how much effort rewriting the CircleCI config would be.

@scholtzan scholtzan force-pushed the gh-action branch 2 times, most recently from 4682a58 to c99c2a3 Compare June 21, 2021 22:41
@scholtzan scholtzan requested a review from jklukas June 21, 2021 22:42
@scholtzan scholtzan mentioned this pull request Jun 21, 2021
Closed
jklukas
jklukas approved these changes Jun 22, 2021
View reviewed changes
Copy link
Contributor

@jklukas jklukas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

r+wc

Don't hesitate to go ahead and merge this so that we can do some more concrete testing of this workflow, and then we can PR improvements as needed.

.circleci/config.yml Outdated Show resolved Hide resolved
.circleci/config.yml Outdated Show resolved Hide resolved
@scholtzan scholtzan force-pushed the gh-action branch 4 times, most recently from 4da4561 to 0d69d13 Compare June 22, 2021 22:26
@scholtzan scholtzan enabled auto-merge (rebase) June 22, 2021 22:40
@scholtzan scholtzan merged commit dfdf195 into main Jun 22, 2021
@scholtzan scholtzan deleted the gh-action branch June 22, 2021 22:41
@scholtzan
Copy link
Collaborator Author

this repository doesn't seem to support the webfactory/ssh-agent@v0.5.1 plugin:

webfactory/ssh-agent@v0.5.1 is not allowed to be used in mozilla/bigquery-etl. Actions in this workflow must be: within a repository that belongs to your Enterprise account, created by GitHub or match the following: !/mozilla/**, !mozilla/**, ./**, aws-actions/*, docker/*, pypa/gh-action-pypi-publish@release/v1.4.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jklukas jklukas jklukas approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@scholtzan @jklukas