Revise ADR: Use the auth token to fetch the workflow repo #190
Conversation
| @@ -40,9 +40,12 @@ We want to take this opportunity to make behavioral changes, from v1. This docum | |||
| default: ${{ github.token }} | |||
| ssh-key: | |||
There was a problem hiding this comment.
Many actions take a dependency on auth being configured. So for the workflow repo, even after the initial fetch we need to leave the remote URL configured as HTTPS.
We could always add a separate input prefer-ssh to let users opt in to fetching the main repo using SSH. I worry a little bit about relative URLs.
Do we need to worry about LFS? I don't it affects this decision - using the token should be fine?
There was a problem hiding this comment.
If we are adding extra inputs for this scenario we may want to consider having the inputs be opt in for users who need this functionality. It would be less entangled in the mainline scenario.
Its a bit verbose but we could do:
submodules-ssh-key
submodules-token
They would default to ssh-key or token.
This would enable us to work on any repo (not just the repo that kicked off the action). Users who don't need this scenario would ignore these inputs (and the consequences from them)
There was a problem hiding this comment.
Many actions take a dependency on auth being configured. So for the workflow repo, even after the initial fetch we need to leave the remote URL configured as HTTPS.
We could do a pass on persist-credentials to state that ssh-config will only ever be set for submodules
There was a problem hiding this comment.
I think we're saying different things. This proposal changes the behavior for the main repo only ("the repository the workflow is running in").
There was a problem hiding this comment.
Also i think it's ok to still configure the ssh command. Remotes that use HTTPS wont use it.
There was a problem hiding this comment.
Discussed offline. Separate inputs submodules-ssh-key and submodules-token makes more sense.
Reasons customers would want to use ssh key for the workflow repo:
- Trigger additional run on push
- Push a commit that edits the workflow file
ericsciple
force-pushed
the
users/ericsciple/m167ssh
branch
from
58dbd86 to
3fcc310
Compare
ericsciple
changed the title
|
|
||
|
|
||
| When fetching the repository the workflow is running in, the auth token will be used | ||
| and configured instead. This enables the SSH key to be used only for submodules. |
There was a problem hiding this comment.
Is this defaulting to the token input (so it could be a user's PAT?) or the GitHub Token.
GitHub token expires after an hour, for long builds pushing changes after running tests we could see issues if we default to that.
There was a problem hiding this comment.
Technically could be the user's PAT; assumption it's the GitHub token.
There was a problem hiding this comment.
Seems uncommon to use PAT and SSH. The scenario here is, the main repo should just work even if SSH key doesnt have permission.
Related to issue #183