From 6a29d5b7668a3daf41350d49e75198059512fa3e Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Sat, 24 Feb 2024 10:29:23 -0600 Subject: [PATCH 01/10] Use best practices in example workflows --- .github/workflows/prep-self-release.yml | 4 +- .github/workflows/publish-changelog.yml | 11 ++++- .github/workflows/publish-self-release.yml | 11 +++-- example-workflows/full-release.yml | 54 ++++++++++++++-------- example-workflows/prep-release.yml | 15 +++--- example-workflows/publish-changelog.yml | 10 +++- example-workflows/publish-release.yml | 21 +++++---- 7 files changed, 86 insertions(+), 40 deletions(-) diff --git a/.github/workflows/prep-self-release.yml b/.github/workflows/prep-self-release.yml index a3654290..b59e97a3 100644 --- a/.github/workflows/prep-self-release.yml +++ b/.github/workflows/prep-self-release.yml @@ -26,6 +26,8 @@ on: jobs: prep_release: runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: actions/checkout@v4 - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 @@ -37,7 +39,7 @@ jobs: id: prep-release uses: jupyter-server/jupyter_releaser/.github/actions/prep-release@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} version_spec: ${{ github.event.inputs.version_spec }} post_version_spec: ${{ github.event.inputs.post_version_spec }} target: jupyter-server/jupyter_releaser diff --git a/.github/workflows/publish-changelog.yml b/.github/workflows/publish-changelog.yml index dc31f350..8ec872ad 100644 --- a/.github/workflows/publish-changelog.yml +++ b/.github/workflows/publish-changelog.yml @@ -12,18 +12,27 @@ on: jobs: publish_changelog: runs-on: ubuntu-latest + environment: release steps: - uses: actions/checkout@v4 - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 + - name: Install Dependencies shell: bash run: | pip install -e . + + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Publish changelog id: publish-changelog uses: jupyter-server/jupyter_releaser/.github/actions/publish-changelog@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} target: ${{ github.event.inputs.target }} branch: ${{ github.event.inputs.branch }} diff --git a/.github/workflows/publish-self-release.yml b/.github/workflows/publish-self-release.yml index d039a844..ad9f9beb 100644 --- a/.github/workflows/publish-self-release.yml +++ b/.github/workflows/publish-self-release.yml @@ -17,8 +17,6 @@ jobs: runs-on: ubuntu-latest environment: release permissions: - # This is useful if you want to use PyPI trusted publisher - # and NPM provenance id-token: write steps: - uses: actions/checkout@v4 @@ -27,11 +25,16 @@ jobs: shell: bash run: | pip install -e . + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} - name: Populate Release id: populate-release uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} target: jupyter-server/jupyter_releaser branch: ${{ github.event.inputs.branch }} release_url: ${{ github.event.inputs.release_url }} @@ -43,7 +46,7 @@ jobs: NPM_TOKEN: ${{ secrets.NPM_TOKEN }} uses: jupyter-server/jupyter_releaser/.github/actions/finalize-release@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} target: ${{ github.event.inputs.target }} release_url: ${{ steps.populate-release.outputs.release_url }} diff --git a/example-workflows/full-release.yml b/example-workflows/full-release.yml index 186631b8..1afe7486 100644 --- a/example-workflows/full-release.yml +++ b/example-workflows/full-release.yml @@ -12,10 +12,10 @@ on: post_version_spec: description: "Post Version Specifier" required: false - # silent: - # description: "Set a placeholder in the changelog and don't publish the release." - # required: false - # type: boolean + silent: + description: "Set a placeholder in the changelog and don't publish the release." + required: false + type: boolean since: description: "Use PRs with activity since this date or git reference" required: false @@ -27,12 +27,10 @@ on: description: "Comma separated list of steps to skip during Populate Release" required: false jobs: - full_release: + prep_release: runs-on: ubuntu-latest permissions: - # This is useful if you want to use PyPI trusted publisher - # and NPM provenance - id-token: write + contents: write steps: - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 @@ -40,34 +38,48 @@ jobs: id: prep-release uses: jupyter-server/jupyter_releaser/.github/actions/prep-release@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} version_spec: ${{ github.event.inputs.version_spec }} + silent: ${{ github.event.inputs.silent }} post_version_spec: ${{ github.event.inputs.post_version_spec }} + target: ${{ github.event.inputs.target }} branch: ${{ github.event.inputs.branch }} - # silent: ${{ github.event.inputs.silent }} since: ${{ github.event.inputs.since }} since_last_stable: ${{ github.event.inputs.since_last_stable }} + publish_release: + needs: [prep_release] + runs-on: ubuntu-latest + environment: release + permissions: + id-token: write + steps: + - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 + + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Populate Release id: populate-release uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} + target: ${{ github.event.inputs.target }} branch: ${{ github.event.inputs.branch }} - release_url: ${{ steps.prep-release.outputs.release_url }} + release_url: ${{ github.event.inputs.release_url }} steps_to_skip: ${{ github.event.inputs.steps_to_skip }} - name: Finalize Release id: finalize-release env: - # The following are needed if you use legacy PyPI set up - # PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} - # PYPI_TOKEN_MAP: ${{ secrets.PYPI_TOKEN_MAP }} - # TWINE_USERNAME: __token__ NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - uses: jupyter-server/jupyter_releaser/.github/actions/finalize-release@v2 + uses: jupyter-server/jupyter-releaser/.github/actions/finalize-release@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} + target: ${{ github.event.inputs.target }} release_url: ${{ steps.populate-release.outputs.release_url }} - name: "** Next Step **" @@ -75,3 +87,9 @@ jobs: run: | echo "Verify the final release" echo ${{ steps.finalize-release.outputs.release_url }} + + - name: "** Failure Message **" + if: ${{ failure() }} + run: | + echo "Failed to Publish the Draft Release Url:" + echo ${{ steps.populate-release.outputs.release_url }} diff --git a/example-workflows/prep-release.yml b/example-workflows/prep-release.yml index 83f876f8..396330bb 100644 --- a/example-workflows/prep-release.yml +++ b/example-workflows/prep-release.yml @@ -12,10 +12,10 @@ on: post_version_spec: description: "Post Version Specifier" required: false - # silent: - # description: "Set a placeholder in the changelog and don't publish the release." - # required: false - # type: boolean + silent: + description: "Set a placeholder in the changelog and don't publish the release." + required: false + type: boolean since: description: "Use PRs with activity since this date or git reference" required: false @@ -26,6 +26,8 @@ on: jobs: prep_release: runs-on: ubuntu-latest + permissions: + contents: write steps: - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 @@ -33,11 +35,12 @@ jobs: id: prep-release uses: jupyter-server/jupyter_releaser/.github/actions/prep-release@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ secrets.GITHUB_TOKEN }} version_spec: ${{ github.event.inputs.version_spec }} + silent: ${{ github.event.inputs.silent }} post_version_spec: ${{ github.event.inputs.post_version_spec }} + target: ${{ github.event.inputs.target }} branch: ${{ github.event.inputs.branch }} - # silent: ${{ github.event.inputs.silent }} since: ${{ github.event.inputs.since }} since_last_stable: ${{ github.event.inputs.since_last_stable }} diff --git a/example-workflows/publish-changelog.yml b/example-workflows/publish-changelog.yml index ad612f26..60af4c5f 100644 --- a/example-workflows/publish-changelog.yml +++ b/example-workflows/publish-changelog.yml @@ -12,13 +12,21 @@ on: jobs: publish_changelog: runs-on: ubuntu-latest + environment: release steps: - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 + + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Publish changelog id: publish-changelog uses: jupyter-server/jupyter_releaser/.github/actions/publish-changelog@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} branch: ${{ github.event.inputs.branch }} - name: "** Next Step **" diff --git a/example-workflows/publish-release.yml b/example-workflows/publish-release.yml index cf6d9058..a4222cac 100644 --- a/example-workflows/publish-release.yml +++ b/example-workflows/publish-release.yml @@ -15,18 +15,24 @@ on: jobs: publish_release: runs-on: ubuntu-latest + environment: release permissions: - # This is useful if you want to use PyPI trusted publisher - # and NPM provenance id-token: write steps: - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1 + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Populate Release id: populate-release uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} + target: ${{ github.event.inputs.target }} branch: ${{ github.event.inputs.branch }} release_url: ${{ github.event.inputs.release_url }} steps_to_skip: ${{ github.event.inputs.steps_to_skip }} @@ -34,14 +40,11 @@ jobs: - name: Finalize Release id: finalize-release env: - # The following are needed if you use legacy PyPI set up - # PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }} - # PYPI_TOKEN_MAP: ${{ secrets.PYPI_TOKEN_MAP }} - # TWINE_USERNAME: __token__ NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - uses: jupyter-server/jupyter_releaser/.github/actions/finalize-release@v2 + uses: jupyter-server/jupyter-releaser/.github/actions/finalize-release@v2 with: - token: ${{ secrets.ADMIN_GITHUB_TOKEN }} + token: ${{ steps.app-token.outputs.token }} + target: ${{ github.event.inputs.target }} release_url: ${{ steps.populate-release.outputs.release_url }} - name: "** Next Step **" From 6f94806063019fcaec59ef2c7634344c065ba387 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Sat, 24 Feb 2024 10:39:25 -0600 Subject: [PATCH 02/10] fix repo name --- example-workflows/full-release.yml | 2 +- example-workflows/publish-release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/example-workflows/full-release.yml b/example-workflows/full-release.yml index 1afe7486..060174fc 100644 --- a/example-workflows/full-release.yml +++ b/example-workflows/full-release.yml @@ -76,7 +76,7 @@ jobs: id: finalize-release env: NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - uses: jupyter-server/jupyter-releaser/.github/actions/finalize-release@v2 + uses: jupyter-server/jupyter_releaser/.github/actions/finalize-release@v2 with: token: ${{ steps.app-token.outputs.token }} target: ${{ github.event.inputs.target }} diff --git a/example-workflows/publish-release.yml b/example-workflows/publish-release.yml index a4222cac..4f5ad16f 100644 --- a/example-workflows/publish-release.yml +++ b/example-workflows/publish-release.yml @@ -41,7 +41,7 @@ jobs: id: finalize-release env: NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - uses: jupyter-server/jupyter-releaser/.github/actions/finalize-release@v2 + uses: jupyter-server/jupyter_releaser/.github/actions/finalize-release@v2 with: token: ${{ steps.app-token.outputs.token }} target: ${{ github.event.inputs.target }} From d22394bd9b164b1e2a4d4ff929685ee9229d1750 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Sat, 24 Feb 2024 10:41:00 -0600 Subject: [PATCH 03/10] fix example --- example-workflows/publish-release.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/example-workflows/publish-release.yml b/example-workflows/publish-release.yml index 4f5ad16f..c1881060 100644 --- a/example-workflows/publish-release.yml +++ b/example-workflows/publish-release.yml @@ -32,7 +32,6 @@ jobs: uses: jupyter-server/jupyter_releaser/.github/actions/populate-release@v2 with: token: ${{ steps.app-token.outputs.token }} - target: ${{ github.event.inputs.target }} branch: ${{ github.event.inputs.branch }} release_url: ${{ github.event.inputs.release_url }} steps_to_skip: ${{ github.event.inputs.steps_to_skip }} @@ -44,7 +43,6 @@ jobs: uses: jupyter-server/jupyter_releaser/.github/actions/finalize-release@v2 with: token: ${{ steps.app-token.outputs.token }} - target: ${{ github.event.inputs.target }} release_url: ${{ steps.populate-release.outputs.release_url }} - name: "** Next Step **" From 67de8009bb6d6ea600f8538996ca7747a1d416d0 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Sun, 25 Feb 2024 07:58:43 -0600 Subject: [PATCH 04/10] Update the documentation --- docs/source/background/theory.md | 7 +++ .../how_to_guides/convert_repo_from_repo.md | 47 ++++++++++++------- docs/source/how_to_guides/maintain_fork.md | 2 +- 3 files changed, 38 insertions(+), 18 deletions(-) diff --git a/docs/source/background/theory.md b/docs/source/background/theory.md index c6fe3647..dbe796ff 100644 --- a/docs/source/background/theory.md +++ b/docs/source/background/theory.md @@ -13,6 +13,13 @@ This project should help maintainers reduce toil and save time in the release pr - Dry run publish on CI - Revert to Dev version after release (optional) +## Security + +We strive to use the most secure release practices possible, reflected in the `Checklist for Adoption` +and the example workflows. +This includes using PyPI Trusted Publishing, using GitHub Environments, encouraging the use of Rulesets and GitHub Apps with limited bypass capability, and provenance data for npm. +In addition, there is an automatic check for whether the user who triggered the action is an admin. + ## Action Details Detailed workflows are available to draft a changelog, draft a release, publish a release, and check a release. diff --git a/docs/source/how_to_guides/convert_repo_from_repo.md b/docs/source/how_to_guides/convert_repo_from_repo.md index af0fb0e9..b56845fa 100644 --- a/docs/source/how_to_guides/convert_repo_from_repo.md +++ b/docs/source/how_to_guides/convert_repo_from_repo.md @@ -16,25 +16,30 @@ See checklist below for details: ## Checklist for Adoption -- [ ] Add a GitHub [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token), preferably from a "machine user" GitHub - account that has admin access to the repository. The token itself will - need "public_repo", and "repo:status" permissions. Save the token as - `ADMIN_GITHUB_TOKEN` - in the [repository secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository). We need this - access token to allow for branch protection rules, which block the pushing - of commits when using the `GITHUB_TOKEN`, even when run from an admin user - account. +- [ ] Set up a GitHub App on your organization (or personal account for a personal project). -- [ ] Set up PyPI: + - Disable the web hook + - Enable Repository permissions > Contents > Read and write + - Select "Only on this account" + - Click "Create GitHub App" + - Browse to the App Settings + - Select "Install App" and install on all repositories + - Under "General" click "Generate a private key" + - Store the `APP_ID` and the private key in a secure location (Jupyter Vault if using a Jupyter Org) -
Using PyPI token (legacy way) +- [ ] Create a "release" environment on your repository and add an `APP_ID` Environment Variable and `APP_PRIVATE_KEY` secret. -- Add access token for the [PyPI registry](https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#saving-credentials-on-github) stored as `PYPI_TOKEN`. - _Note_ For security reasons, it is recommended that you scope the access - to a single repository. Additionally, this token should belong to a - machine account and not a user account. +- [ ] Configure Rulesets for the repository -
+ - Set up branch protection but only disable force pushes. + - Remove global tag protection. + - Add a branch Ruleset for all branches + - Allow the GitHub App to bypass protections + - Set up Pull Request and Required Checks + - Add a tags Ruleset for all tags + - Allow the GitHub App to bypass protections + +- [ ] Set up PyPI:
Using PyPI trusted publisher (modern way) @@ -45,10 +50,18 @@ See checklist below for details:
+
Using PyPI token (legacy way) + +- Add access token for the [PyPI registry](https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#saving-credentials-on-github) stored as `PYPI_TOKEN`. + _Note_ For security reasons, it is recommended that you scope the access + to a single repository. Additionally, this token should belong to a + machine account and not a user account. + +
+ - [ ] If needed, add access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN`. Again this should be created using a machine account that only has publish access. -- [ ] Ensure that only trusted users with 2FA have admin access to the - repository, since they will be able to trigger releases. +- [ ] Ensure that only trusted users with 2FA have admin access to the repository, since they will be able to trigger releases. - [ ] Switch to Markdown Changelog - We recommend [MyST](https://myst-parser.readthedocs.io/en/latest/?badge=latest), especially if some of your docs are in reStructuredText. - Can use `pandoc -s changelog.rst -o changelog.md` and some hand edits as needed. diff --git a/docs/source/how_to_guides/maintain_fork.md b/docs/source/how_to_guides/maintain_fork.md index fe079c5d..da624882 100644 --- a/docs/source/how_to_guides/maintain_fork.md +++ b/docs/source/how_to_guides/maintain_fork.md @@ -2,7 +2,7 @@ ## How to keep fork of Jupyter Releaser up to date -- The manual workflow files target the `@v1` actions in the source repository, which means that as long as +- The manual workflow files target the `@v2` actions in the source repository, which means that as long as the workflow files themselves are up to date, you will always be running the most up to date actions. - Make sure your workflow is up to date by checking the "Fetch Upstream" dropdown on the main page of your fork. From e491e83959c144614b3e08c202534c57aabaeaaa Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Sun, 25 Feb 2024 09:13:18 -0600 Subject: [PATCH 05/10] add links --- docs/source/how_to_guides/convert_repo_from_repo.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/source/how_to_guides/convert_repo_from_repo.md b/docs/source/how_to_guides/convert_repo_from_repo.md index b56845fa..2e12060d 100644 --- a/docs/source/how_to_guides/convert_repo_from_repo.md +++ b/docs/source/how_to_guides/convert_repo_from_repo.md @@ -16,7 +16,7 @@ See checklist below for details: ## Checklist for Adoption -- [ ] Set up a GitHub App on your organization (or personal account for a personal project). +- [ ] Set up a [GitHub App](https://docs.github.com/en/apps/creating-github-apps/about-creating-github-apps/about-creating-github-apps#github-apps-that-act-on-their-own-behalf) on your organization (or personal account for a personal project). - Disable the web hook - Enable Repository permissions > Contents > Read and write @@ -27,9 +27,9 @@ See checklist below for details: - Under "General" click "Generate a private key" - Store the `APP_ID` and the private key in a secure location (Jupyter Vault if using a Jupyter Org) -- [ ] Create a "release" environment on your repository and add an `APP_ID` Environment Variable and `APP_PRIVATE_KEY` secret. +- [ ] Create a "release" [environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) on your repository and add an `APP_ID` Environment Variable and `APP_PRIVATE_KEY` secret. -- [ ] Configure Rulesets for the repository +- [ ] Configure [Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) for the repository - Set up branch protection but only disable force pushes. - Remove global tag protection. From f5f86c1abdf15d9b88971dec0fc701dfdc0f42a8 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Mon, 26 Feb 2024 06:14:05 -0600 Subject: [PATCH 06/10] address review --- example-workflows/full-release.yml | 10 +++++----- example-workflows/prep-release.yml | 10 +++++----- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/example-workflows/full-release.yml b/example-workflows/full-release.yml index 060174fc..b8ee1fcf 100644 --- a/example-workflows/full-release.yml +++ b/example-workflows/full-release.yml @@ -12,10 +12,10 @@ on: post_version_spec: description: "Post Version Specifier" required: false - silent: - description: "Set a placeholder in the changelog and don't publish the release." - required: false - type: boolean + # silent: + # description: "Set a placeholder in the changelog and don't publish the release." + # required: false + # type: boolean since: description: "Use PRs with activity since this date or git reference" required: false @@ -40,7 +40,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} version_spec: ${{ github.event.inputs.version_spec }} - silent: ${{ github.event.inputs.silent }} + # silent: ${{ github.event.inputs.silent }} post_version_spec: ${{ github.event.inputs.post_version_spec }} target: ${{ github.event.inputs.target }} branch: ${{ github.event.inputs.branch }} diff --git a/example-workflows/prep-release.yml b/example-workflows/prep-release.yml index 396330bb..4f8621f1 100644 --- a/example-workflows/prep-release.yml +++ b/example-workflows/prep-release.yml @@ -12,10 +12,10 @@ on: post_version_spec: description: "Post Version Specifier" required: false - silent: - description: "Set a placeholder in the changelog and don't publish the release." - required: false - type: boolean + # silent: + # description: "Set a placeholder in the changelog and don't publish the release." + # required: false + # type: boolean since: description: "Use PRs with activity since this date or git reference" required: false @@ -37,7 +37,7 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} version_spec: ${{ github.event.inputs.version_spec }} - silent: ${{ github.event.inputs.silent }} + # silent: ${{ github.event.inputs.silent }} post_version_spec: ${{ github.event.inputs.post_version_spec }} target: ${{ github.event.inputs.target }} branch: ${{ github.event.inputs.branch }} From 9730dc726805de808fc70a77358c64432689cdc2 Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 27 Feb 2024 22:06:45 -0600 Subject: [PATCH 07/10] Update docs/source/how_to_guides/convert_repo_from_repo.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Frédéric Collonval --- docs/source/how_to_guides/convert_repo_from_repo.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/how_to_guides/convert_repo_from_repo.md b/docs/source/how_to_guides/convert_repo_from_repo.md index 2e12060d..f49e747a 100644 --- a/docs/source/how_to_guides/convert_repo_from_repo.md +++ b/docs/source/how_to_guides/convert_repo_from_repo.md @@ -31,7 +31,7 @@ See checklist below for details: - [ ] Configure [Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) for the repository - - Set up branch protection but only disable force pushes. + - Set up branch protection (with default rules) on publication branches - Remove global tag protection. - Add a branch Ruleset for all branches - Allow the GitHub App to bypass protections From 8b028ac0cdcf36d1e890f7d554f89394c2eac14f Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 28 Feb 2024 04:07:04 +0000 Subject: [PATCH 08/10] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- docs/source/how_to_guides/convert_repo_from_repo.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/how_to_guides/convert_repo_from_repo.md b/docs/source/how_to_guides/convert_repo_from_repo.md index f49e747a..18e45af9 100644 --- a/docs/source/how_to_guides/convert_repo_from_repo.md +++ b/docs/source/how_to_guides/convert_repo_from_repo.md @@ -31,7 +31,7 @@ See checklist below for details: - [ ] Configure [Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) for the repository - - Set up branch protection (with default rules) on publication branches + - Set up branch protection (with default rules) on publication branches - Remove global tag protection. - Add a branch Ruleset for all branches - Allow the GitHub App to bypass protections From 3eed24658d3d982a6f6a29cab6e805264d179f3c Mon Sep 17 00:00:00 2001 From: Steven Silvester Date: Tue, 27 Feb 2024 22:10:12 -0600 Subject: [PATCH 09/10] address review --- docs/source/how_to_guides/convert_repo_from_repo.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/source/how_to_guides/convert_repo_from_repo.md b/docs/source/how_to_guides/convert_repo_from_repo.md index 18e45af9..692e896c 100644 --- a/docs/source/how_to_guides/convert_repo_from_repo.md +++ b/docs/source/how_to_guides/convert_repo_from_repo.md @@ -28,6 +28,7 @@ See checklist below for details: - Store the `APP_ID` and the private key in a secure location (Jupyter Vault if using a Jupyter Org) - [ ] Create a "release" [environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) on your repository and add an `APP_ID` Environment Variable and `APP_PRIVATE_KEY` secret. +The environment should be enabled for ["Protected branches only"](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-branches-and-tags). - [ ] Configure [Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) for the repository From cfd814c601474a1a2a3464e0754ec882e49a3f02 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Wed, 28 Feb 2024 04:10:23 +0000 Subject: [PATCH 10/10] [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci --- docs/source/how_to_guides/convert_repo_from_repo.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/source/how_to_guides/convert_repo_from_repo.md b/docs/source/how_to_guides/convert_repo_from_repo.md index 692e896c..462cecb8 100644 --- a/docs/source/how_to_guides/convert_repo_from_repo.md +++ b/docs/source/how_to_guides/convert_repo_from_repo.md @@ -28,7 +28,7 @@ See checklist below for details: - Store the `APP_ID` and the private key in a secure location (Jupyter Vault if using a Jupyter Org) - [ ] Create a "release" [environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) on your repository and add an `APP_ID` Environment Variable and `APP_PRIVATE_KEY` secret. -The environment should be enabled for ["Protected branches only"](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-branches-and-tags). + The environment should be enabled for ["Protected branches only"](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-branches-and-tags). - [ ] Configure [Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) for the repository