From 6bbe09b0edb52db317a3a1dc4a69ae701abdb604 Mon Sep 17 00:00:00 2001 From: Xuan Hu Date: Sat, 18 May 2024 07:14:22 +0800 Subject: [PATCH 1/3] ci: unify secrets on GitHub --- .github/workflows/renovate.yml | 2 +- docs/management/config.md | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 299b8ffc..69c3fa7f 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -31,8 +31,8 @@ jobs: echo "Generally, Renovate automatically detects the git author and email using the token. However, explicitly setting the `RENOVATE_GIT_AUTHOR` will override this behavior." >> $GITHUB_STEP_SUMMARY - name: Run Renovate env: - RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN || steps.generate-token.outputs.token }} RENOVATE_GIT_AUTHOR: ${{ vars.RENOVATE_GIT_AUTHOR }} + RENOVATE_TOKEN: ${{ steps.generate-token.outputs.token || secrets.PAT || secrets.GITHUB_TOKEN }} run: | if [ -z "$RENOVATE_TOKEN" ]; then echo "RENOVATE_TOKEN is not properly configured, skipping ..." diff --git a/docs/management/config.md b/docs/management/config.md index 64c4fcfc..6514bb7d 100644 --- a/docs/management/config.md +++ b/docs/management/config.md @@ -27,7 +27,7 @@ There are several configurations to utilize the features provided by the project 1. Set the **variable** `PDM_PUBLISH_REPO`, the repository (package index) URL to upload the package which defaults to `https://pypi.org`, the official PyPI. 1. Set the **variable** `PDM_PUBLISH_USERNAME`, the username to authenticate to the repository (package index) which defaults to `__token__`, used for [API token](https://pypi.org/help/#apitoken). 1. Set the **secret** `PDM_PUBLISH_PASSWORD`, the password to authenticate to the repository (package index). -1. Renovate authentication: +1. Renovate & semantic-release authentication: There are two approaches, either with GitHub App or with personal access token (classic). GitHub App is the more recommended way to avoid the issues and pull requests tied to a particular user. @@ -43,7 +43,7 @@ There are several configurations to utilize the features provided by the project :::{tab-item} personal access token (classic) 1. [Create a personal access token (classic)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) with **workflow** scope. - 1. Navigate to the [Actions secrets and variables](https://github.com/serious-scaffold/ss-python/settings/secrets/actions) settings and set the token as a **secret** `RENOVATE_TOKEN`. + 1. Navigate to the [Actions secrets and variables](https://github.com/serious-scaffold/ss-python/settings/secrets/actions) settings and set the token as a **secret** `PAT`. ::: :::: From be3042dc5c72b5e775a7b38149d089cf865e8d23 Mon Sep 17 00:00:00 2001 From: Xuan Hu Date: Sat, 18 May 2024 07:17:57 +0800 Subject: [PATCH 2/3] update template --- .../workflows/renovate.yml.jinja | 2 +- template/docs/management/config.md.jinja | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/template/[% if repo_platform == 'github' %].github[% endif %]/workflows/renovate.yml.jinja b/template/[% if repo_platform == 'github' %].github[% endif %]/workflows/renovate.yml.jinja index a6db73b2..320e7a30 100644 --- a/template/[% if repo_platform == 'github' %].github[% endif %]/workflows/renovate.yml.jinja +++ b/template/[% if repo_platform == 'github' %].github[% endif %]/workflows/renovate.yml.jinja @@ -35,8 +35,8 @@ jobs: echo "Generally, Renovate automatically detects the git author and email using the token. However, explicitly setting the `RENOVATE_GIT_AUTHOR` will override this behavior." >> $GITHUB_STEP_SUMMARY - name: Run Renovate env: - RENOVATE_TOKEN: {{ '${{ secrets.RENOVATE_TOKEN || steps.generate-token.outputs.token }}' }} RENOVATE_GIT_AUTHOR: {{ '${{ vars.RENOVATE_GIT_AUTHOR }}' }} + RENOVATE_TOKEN: {{ '${{ steps.generate-token.outputs.token || secrets.PAT || secrets.GITHUB_TOKEN }}' }} run: | if [ -z "$RENOVATE_TOKEN" ]; then echo "RENOVATE_TOKEN is not properly configured, skipping ..." diff --git a/template/docs/management/config.md.jinja b/template/docs/management/config.md.jinja index 8d09d9c7..dfbdd268 100644 --- a/template/docs/management/config.md.jinja +++ b/template/docs/management/config.md.jinja @@ -27,7 +27,7 @@ There are several configurations to utilize the features provided by the project 1. Set the **variable** `PDM_PUBLISH_REPO`, the repository (package index) URL to upload the package which defaults to `https://pypi.org`, the official PyPI. 1. Set the **variable** `PDM_PUBLISH_USERNAME`, the username to authenticate to the repository (package index) which defaults to `__token__`, used for [API token](https://pypi.org/help/#apitoken). 1. Set the **secret** `PDM_PUBLISH_PASSWORD`, the password to authenticate to the repository (package index). -1. Renovate authentication: +1. Renovate & semantic-release authentication: There are two approaches, either with GitHub App or with personal access token (classic). GitHub App is the more recommended way to avoid the issues and pull requests tied to a particular user. @@ -43,7 +43,7 @@ There are several configurations to utilize the features provided by the project :::{tab-item} personal access token (classic) 1. [Create a personal access token (classic)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) with **workflow** scope. - 1. Navigate to the [Actions secrets and variables](https://github.com/{{ repo_namespace }}/{{ repo_name }}/settings/secrets/actions) settings and set the token as a **secret** `RENOVATE_TOKEN`. + 1. Navigate to the [Actions secrets and variables](https://github.com/{{ repo_namespace }}/{{ repo_name }}/settings/secrets/actions) settings and set the token as a **secret** `PAT`. ::: :::: From b6d8297deefee4fd8e74bc96ddbc74663fa59326 Mon Sep 17 00:00:00 2001 From: Xuan Hu Date: Sat, 18 May 2024 07:40:00 +0800 Subject: [PATCH 3/3] warn if use GITHUB_TOKEN in renovate --- .github/workflows/renovate.yml | 6 ++++++ .../workflows/renovate.yml.jinja | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/.github/workflows/renovate.yml b/.github/workflows/renovate.yml index 69c3fa7f..8ae145ad 100644 --- a/.github/workflows/renovate.yml +++ b/.github/workflows/renovate.yml @@ -24,6 +24,12 @@ jobs: with: app-id: ${{ vars.BOT_APP_ID }} private-key: ${{ secrets.BOT_PRIVATE_KEY }} + - name: Warn if use GITHUB_TOKEN + run: | + if [ -z "${{ steps.generate-token.outputs.token || secrets.PAT }}" ]; then + echo "# :warning: GITHUB_TOKEN is used for renovate" >> $GITHUB_STEP_SUMMARY + echo "The GITHUB_TOKEN is used instead of a bot token or PAT and will not emit the checks for the pull requests." >> $GITHUB_STEP_SUMMARY + fi - name: Warn if RENOVATE_GIT_AUTHOR is set while using GitHub App token if: steps.generate-token.outputs.token && vars.RENOVATE_GIT_AUTHOR run: | diff --git a/template/[% if repo_platform == 'github' %].github[% endif %]/workflows/renovate.yml.jinja b/template/[% if repo_platform == 'github' %].github[% endif %]/workflows/renovate.yml.jinja index 320e7a30..e0ca3a72 100644 --- a/template/[% if repo_platform == 'github' %].github[% endif %]/workflows/renovate.yml.jinja +++ b/template/[% if repo_platform == 'github' %].github[% endif %]/workflows/renovate.yml.jinja @@ -28,6 +28,12 @@ jobs: with: app-id: {{ '${{ vars.BOT_APP_ID }}' }} private-key: {{ '${{ secrets.BOT_PRIVATE_KEY }}' }} + - name: Warn if use GITHUB_TOKEN + run: | + if [ -z "{{ '${{ steps.generate-token.outputs.token || secrets.PAT }}' }}" ]; then + echo "# :warning: GITHUB_TOKEN is used for renovate" >> $GITHUB_STEP_SUMMARY + echo "The GITHUB_TOKEN is used instead of a bot token or PAT and will not emit the checks for the pull requests." >> $GITHUB_STEP_SUMMARY + fi - name: Warn if RENOVATE_GIT_AUTHOR is set while using GitHub App token if: steps.generate-token.outputs.token && vars.RENOVATE_GIT_AUTHOR run: |