Add GitHub actions to recipes

[alissonperez]

related #974

Just add a simple GitHub Actions recipe.

[gr2m]

Hey I appreciate you squashing your commits to allow for rebase and merge, but while we still discuss it would actually be helpful to add commits so I can see your changes since my last review.

[alissonperez]

@gr2m Changed. Could you review again, please?

What do you think about that section about repository_dispatch usage?

Tks!

[gr2m]

I would really appreciate if you would write a description without mentioning GH_TOKEN and the git plugin at first, and then add a section about using the git plugin with GitHub actions and why you need to create a separate token, and how to do that. Could you do that?

What do you think about that section about repository_dispatch usage?

I like it. You could add a separate section and call it something like Trigger semantic-release on demand. You could add even another section called Trigger semantic-release on a schedule, but we can add that later

[alissonperez]

@gr2m yeah, indeed. I made your suggestions, please, take a look when possible.
Tks!

[gr2m]

Looks good, just a few more comments. Thanks for bearing with me :)

[alissonperez]

No problem @gr2m ! Thank you for your review.. If you see any other change, please LMK..

[gr2m]

Just one comment, otherwise it's good to go :) I'm sure other folks will have suggestions, we can iterate over time as people suggest further improvements

[merlinnot]

Overall, it might be worth noting a caveat that often makes developer pull hair out of their head, that is: GitHub Actions can't trigger GitHub Actions.

To understand better why that's so painful, imagine the following scenario: there's a merge bot of any kind, that merges PRs with minimal number of approvals, generate docs, does whatever you can automate. Once this PR is merged, releases will not be triggered. Below you can find a link to an Action that merges dependency updates in a repo that uses Semantic Release. No dependency updates are released (see history).

https://github.com/ridedott/dependabot-auto-merge-action

[gr2m]

Overall, it might be worth noting a caveat that often makes developer pull hair out of their head, that is: GitHub Actions can't trigger GitHub Actions.

To understand better why that's so painful, imagine the following scenario: there's a merge bot of any kind, that merges PRs with minimal number of approvals, generate docs, does whatever you can automate. Once this PR is merged, releases will not be triggered. Below you can find a link to an Action that merges dependency updates in a repo that uses Semantic Release. No dependency updates are released (see history).

That is a very good point, I've lost some hair over this myself although I know about. We should add a warning

[alissonperez]

@gr2m and @merlinnot , I made your suggestions..

About GitHub Actions can't trigger GitHub Actions, I didn't understand in which flow where it's not possible to happens, because I have a flow here, in a private repo, that is triggered by a http request (using repository_dispatch), this flow calls semantic release that makes a commit in master branch and generate a new release on it. Both flows (push and tagging) are triggered by GitHub. Would it be the same flow that you described? I saw your actions repository and it's really strange that merges don't triggered other actions. Is there some documentation about it?

[merlinnot]

This might give you some more information: https://github.community/t5/GitHub-Actions/Allow-triggering-actions-by-other-actions/td-p/34793

[merlinnot]

I think we can still improve this message. It suggest that users have to create this token manually in this case, but the default one already has these permissions. Do you think we can rephrase it somehow, so it's more clear?

[alissonperez]

Hum, good point.. I'll think about it..

[gr2m]

The problem with the provided GITHUB_TOKEN is that it cannot push to master if you have branch protection enabled. For that you need to create a personal access token.

You can rephrase it and say

To use it you'll need to generate a personal access token with permission to push changes to master branch. Store the personal access token as a secret, then set the GITHUB_TOKEN environment variable from it (instead of from the provided GITHUB_TOKEN secret)

        env:
          GITHUB_TOKEN: ${{ secrets.MY_PERSONAL_ACCESS_TOKEN }}

[alissonperez]

Thanks @gr2m , I changed with your changes. Please, take a look what do you think guys. @merlinnot

[alissonperez]

This might give you some more information: https://github.community/t5/GitHub-Actions/Allow-triggering-actions-by-other-actions/td-p/34793

hum, makes sense to work for me, I'm using a specific GH_TOKEN for it, if I understood well how to trigger workflows from other workflows.

Do you think, @merlinnot, that we could add some reference or a kind of "warn" about this?

[rarkins]

I think it’s becoming very common to have master branch protection enabled. What functionality exactly requires “pushing to master”?

[alissonperez]

@rarkins Yes, it's very common. I faced this problem when I needed to push my package.json changes (with new version) to master branch using https://github.com/semantic-release/git . What I did is to enable only the user from GH_TOKEN to push changes to master.

[merlinnot]

@alissonperez I opened a PR which should hopefully shed some light on what's broken with GITHUB_TOKEN: alissonperez#1. Could you take a look and provide me with some feedback?

[merlinnot]

I think it's a very good start! Let's see what issues people start to open and improve the guide based on this feedback?

[alissonperez]

Yes, awesome!! Indeed! thanks @merlinnot !

[gr2m]

Let's ship it 👏

[semantic-release-bot]

🎉 This PR is included in version 15.13.28 🎉

The release is available on:

• npm package (@next dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[semantic-release-bot]

🎉 This PR is included in version 16.0.0-beta.27 🎉

The release is available on:

• npm package (@beta dist-tag)
• GitHub release

Your semantic-release bot 📦🚀