-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable renovatebot for this repo (and contrib) #8936
Comments
@codeboten would it be possible to have another workflow monitoring the renovate PR, see the tidy happen, and then do something to the PR to force the CI to rerun like add an extra label? Thats all pretty convoluted, but would remove the need for a human to intervene. |
@TylerHelmuth that might be possible, i tried using a follow up step in the action to remove a label, which triggered a new event but it didn't trigger CI. I'm open to other suggestions! |
I think we'd have to add watches to all the workflows we'd want triggered by the label. Similar to the changelog workflow. |
In my experience, most interactions with the GitHub API from a bot or action are explicitly filtered out from action triggers to prevent workflows from recursively triggering themselves. That said, maybe there's some way we can get clever. I think the changelog label works because it's a human adding/removing the label. For option 1, I don't have any issue with moving ocb to be published from the releases repo. I think having all binaries available in a single spot makes it clearer where to get our built artifacts, so I'm good with restricting binaries to only the releases repo. Are we confident that we can adequately address all of the security concerns with the token's permissions? |
@evan-bradley I believe the only requirement identified was to not publish any executable artifacts from the repository, and to have a workflow that checks this. I don't know if this would require us to also validate that no previously released binary has changed, or that we remove them altogether. As you can see though, the PAT with contents permissions is quite permissive: https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28#repository-permissions-for-contents
I'm all ears if you have suggestions on how to get clever. You're right that the label works when someone interacts with them. |
Finally rid us of the hundreds of notifications. Closes open-telemetry#4885 Closes open-telemetry#8936 --------- Signed-off-by: Alex Boten <aboten@lightstep.com>
@codeboten can I ask a few follow-ups?
|
Renovate supports this as well, however we need to run
This is a good question. I can't remember the details of why
Yes. The original prototyping of using renovate was done w/ forking renovate in hope that it would allow us to run commands needed on the fork. I seem to recall there were permission issues with forking renovate not being able to update PRs, but I can't remember or find the reasoning for the switch documented. |
Thanks for background, @codeboten. I enabled Renovate in Jaeger yesterday, but then switched to Forking flavor, because the permissions on the main one are insane. I know Forking is not able to auto-merge, but we were not planning using that anyway, and everything else seems to work fine: it updates its own PRs and a "Dashboard" issue, and we don't have a need for tidy step. Also Forking flavor manages its own branches, the main flavor was leaving them around (apparently the insane perms it gets are still not enough to delete branches, according to docs I saw somewhere). |
After spending more time testing out renovatebot for this repository, I think it's an overall improvement over what we currently have.
Dependabot workflow
This works in some cases, but often times, the PR produced runs into a variety of issues.
Issues w/ this workflow
An alternative would be to use Renovatebot.
Renovatebot workflow
Issues w/ this workflow
Now ideally, this is where an approver could review the PR and approve it to get it merged. Unfortunately, it isn't quite so simple. Once the "Project: Tidy" has completed, the change does not trigger CI again. This is because the standard token (GITHUB_TOKEN) used to push the change does not have the ability to trigger github actions. This is a known limitation of the token. The solution is to obtain a token with write access to the repository. However, there isn't a way to limit write access of a token to only a branch.
A write token has access to various other things, including publishing release. This was specifically called out as a problem when I opened a community request to obtain such a token. So, there are a few options we have here and I would like other contributors' input on what steps we should follow here:
Options
The text was updated successfully, but these errors were encountered: