chore(ci): use github app for tokens #6534
Conversation
| id: app-token | ||
| with: | ||
| app-id: ${{ vars.DEVTOOLS_BOT_APP_ID }} | ||
| private-key: ${{ secrets.DEVTOOLS_BOT_PRIVATE_KEY }} | ||
|
|
||
| - name: Get GitHub App User ID |
There was a problem hiding this comment.
The removed steps in this file have been moved to our setup-bot-token action.
| with: | ||
| # don't checkout a detatched HEAD | ||
| ref: ${{ github.head_ref }} | ||
|
|
||
| # this is important so git log can pick up on | ||
| # the whole history to generate the list of AUTHORS | ||
| fetch-depth: '0' |
There was a problem hiding this comment.
We're not updating AUTHORS in this workflow, so this seems unnecessary
|
|
||
| jobs: | ||
| merge_bump_packages_pr: | ||
| name: Merge bump packages PR | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v3 |
There was a problem hiding this comment.
Checkout seems unnecessary here as we don't use anything from the repo
| git add . | ||
| git commit --no-allow-empty -m "chore(deps): update electron" || true |
There was a problem hiding this comment.
The create-pull-request action will automatically add and commit, so no need to do it here
| The version of packages is calculated following conventional bumps: See https://github.com/mongodb-js/devtools-shared/tree/main/packages/bump-monorepo-packages for details. | ||
| The version of packages is calculated following conventional bumps: See https://github.com/mongodb-js/devtools-shared/tree/main/packages/monorepo-tools for details. |
There was a problem hiding this comment.
This is a drive-by - noticed the link is outdated
| run: | | ||
| npm run bump-packages | ||
| git add . | ||
| git commit --no-allow-empty -m "$LAST_BUMP_COMMIT_MESSAGE" || true | ||
|
|
||
| - name: Create Pull Request | ||
| id: cpr | ||
| uses: peter-evans/create-pull-request@v6 | ||
| uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # 7.0.5 |
There was a problem hiding this comment.
For 3rd party packages, we should use git commit shas instead of version tags as those can be force pushed.
There was a problem hiding this comment.
Is there a documentation for this that we can point to somewhere around this code? It's not obvious and would be very easy to revert back over time without noting why we are doing this
There was a problem hiding this comment.
It's part of the general security hardening recommendations for actions: https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
While I don't have reasons to mistrust Peter, a rule of thumb I tend to follow is to use versions for actions by corporations such as microsoft, github, amazon, where there's strong expectation that they have security practices in place that would prevent access to their code. And for everything else, even if it's a popular action, I pin the commit sha.
There was a problem hiding this comment.
Cool, so can we add this link somewhere around this line (or any other place you think is appropriate) so that when someone is going over this code in the future and is unsure why exactly this is set to a hash instead of a version the rule is still followed?
There was a problem hiding this comment.
I don't think we should be adding comments as the commit sha usage should be the default for any 3rd party action. I did drop a message on slack though to bring more attention to this. I've also updated CONTRIBUTING.md with a section highlighting a few of the security best practices that also links to the full doc.
| run: | | ||
| npm run bump-packages | ||
| git add . | ||
| git commit --no-allow-empty -m "$LAST_BUMP_COMMIT_MESSAGE" || true | ||
|
|
||
| - name: Create Pull Request | ||
| id: cpr | ||
| uses: peter-evans/create-pull-request@v6 | ||
| uses: peter-evans/create-pull-request@5e914681df9dc83aa4e4905692ca88beb2f9e91f # 7.0.5 |
There was a problem hiding this comment.
Is there a documentation for this that we can point to somewhere around this code? It's not obvious and would be very easy to revert back over time without noting why we are doing this
nirinchev
added
the
no-title-validation
| @@ -115,6 +115,14 @@ npm run create-workspace [workspace name] | |||
|
|
|||
| This will do all the initial workspace bootstrapping for you, ensuring that your package has all the standard configs set up and ready, and all the npm scripts aligned with other packages in the monorepo, which is important to get the most out of all the provided helpers in this repository (like `npm run check-changed` commands or to make sure that your tests will not immediately fail in CI because of the test timeout being too small) | |||
|
|
|||
| ## Using Github Actions | |||
Description
This is a minor cleanup of gha workflows. It includes the following changes:
TODO:
Motivation and Context
Types of changes