generated from actions/container-action
-
Notifications
You must be signed in to change notification settings - Fork 4
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow to Use Custom Git Actor for Bundled JS Output #14
Open
DavideIadeluca
wants to merge
5
commits into
flarum:master
Choose a base branch
from
glowingblue:di/custom-actor
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
8f06c53
feat: allow to use custom actor
DavideIadeluca 39874e6
chore: new inputs
DavideIadeluca f1fd2f0
docs: add tutorial section
DavideIadeluca db7012b
chore: minor doc fix
DavideIadeluca 63ac061
chore: remove unused `github_token` input
DavideIadeluca File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,7 +21,6 @@ jobs: | |
- uses: actions/checkout@master | ||
- uses: flarum/action-build@2 | ||
with: | ||
github_token: ${{ secrets.GITHUB_TOKEN }} | ||
build_script: build # npm run build | ||
build_typings_script: build-typings # npm run build-typings | ||
test_script: test # npm run test | ||
|
@@ -36,8 +35,7 @@ jobs: | |
Here is a full list of options available using the `with` syntax: | ||
|
||
| Name | Required | Description | Example | Default | | ||
|------------------------| -------- |-------------------------------------------------------------------------------------------------------------------------|-------------------------------| ------- | | ||
| `github_token` | Yes | Your Actions GitHub token. The example value should work for this by default. | `${{ secrets.GITHUB_TOKEN }}` | None | | ||
| ---------------------- | -------- | ----------------------------------------------------------------------------------------------------------------------- | ----------------------------- | ------- | | ||
| `build_script` | Yes | The `package.json` script to run to build your extension JS. | `build` | `build` | | ||
| `build_typings_script` | No | If defined, runs the script of this name in `package.json` to build typings for your extension. | `build-typings` | Unset | | ||
| `format_script` | No | If defined, runs the script of this name in `package.json` to check code formatting of your extension's JS. | `format-check` | Unset | | ||
|
@@ -49,13 +47,81 @@ Here is a full list of options available using the `with` syntax: | |
| `do_not_commit` | No | Set to `true` to NOT commit the built JS/Typings. Useful for validating JS source. | `false` | `false` | | ||
| `checks` | No | An array of strings, where each is a script that should be run before committing built js. | `false` | `false` | | ||
| `commit_all_dirty` | No | Set to `true` to commit all file changes, not just files in the dist JS directory. | `false` | `false` | | ||
| `git_actor_name` | No | Allows to set a different username (normally `flarum-bot`) for the actor which commits the bundles JS. | `acme-bot` | Unset | | ||
| `git_actor_email` | No | Allows to set a different email for the actor which commits the bundled JS. | `[email protected]` | Unset | | ||
|
||
### Assumptions | ||
|
||
Your Javascript must be in a `js` folder, similar to how Flarum core and Flarum's first-party extensions are laid out. | ||
|
||
If building typings, we assume that they are built to `js/dist-typings`, as set in the example `tsconfig.json` found on the [flarum-tsconfig](https://github.com/flarum/flarum-tsconfig). | ||
|
||
## Setting Up Custom Git Actor for Frontend Workflow | ||
|
||
This guide helps you configure a custom Git actor in your extension's frontend workflow, specifically useful if your organization enforces branch protection rules requiring pull requests for changes to the default branch. | ||
|
||
### Basic Configuration (Light Version) | ||
|
||
To change the actor committing bundled JS in your workflow: | ||
|
||
1. Add `git_actor_name` and `git_actor_email` inputs to your workflow file. | ||
2. These values can represent either a real GitHub user or a fictional one. | ||
3. If using a real user, it's recommended to use the GitHub-provided email for privacy-enabled accounts. | ||
|
||
Example: | ||
|
||
```yaml | ||
name: ACME Foobar JS | ||
|
||
on: [workflow_dispatch, push, pull_request] | ||
|
||
jobs: | ||
run: | ||
uses: flarum/framework/.github/workflows/[email protected] | ||
with: | ||
enable_prettier: true | ||
... | ||
git_actor_name: acme-bot | ||
git_actor_email: [email protected] | ||
``` | ||
|
||
### Advanced Configuration (With Branch Protection Rules) | ||
|
||
If you also want to enforce branch protection and allow a custom actor to bypass pull requests: | ||
|
||
1. Create a dedicated CI GitHub account with admin permissions in your organization. | ||
2. Generate a Personal Access Token for the CI account: | ||
|
||
- Go to [GitHub Tokens](https://github.com/settings/tokens/new) and create a new token with repo and workflow scopes. | ||
|
||
3. Add the token as a secret in your repository. | ||
4. Use the real CI account's username and email in your workflow. | ||
|
||
When setting branch protection rules, make sure not to enable "Do not allow bypassing the above settings" as this would block automated commits from the CI actor. | ||
|
||
```yml | ||
name: ACME Foobar JS | ||
|
||
on: [workflow_dispatch, push, pull_request] | ||
|
||
jobs: | ||
run: | ||
uses: flarum/framework/.github/workflows/[email protected] | ||
with: | ||
enable_prettier: true | ||
.. | ||
git_actor_name: ci-bot | ||
git_actor_email: [email protected] | ||
|
||
secrets: | ||
git_actor_token: ${{ secrets.GIT_ACTOR_TOKEN }} | ||
``` | ||
|
||
### Important Notes | ||
|
||
- Avoid the "Do not allow bypassing the above settings" option when setting up branch protection, or your CI actor won’t be able to commit the bundled JS. | ||
- Make sure other rules or permissions don't block the CI account from making automated commits. | ||
|
||
## Only Build on Master | ||
|
||
If you only want to run the workflow when commits are pushed to the `master` branch, change `on: push` to the following: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -24,10 +24,13 @@ export default async function commitChangesToGit(jp: FSJetpack): Promise<void> { | |
maxConcurrentProcesses: 1, | ||
}; | ||
|
||
const gitActorName = core.getInput('git_actor_name', { required: false, trimWhitespace: true }) || 'flarum-bot'; | ||
const gitActorEmail = core.getInput('git_actor_email', { required: false, trimWhitespace: true }) || '[email protected]'; | ||
|
||
const config = { | ||
author: { | ||
name: 'flarum-bot', | ||
email: '[email protected]', | ||
name: gitActorName, | ||
email: gitActorEmail, | ||
}, | ||
}; | ||
|
||
|
@@ -61,11 +64,9 @@ Includes transpiled JS/TS${core.getInput('build_typings_script') !== '' ? ', and | |
|
||
[skip ci]`); | ||
|
||
const token = core.getInput('github_token', { required: true, trimWhitespace: true }); | ||
|
||
debugLog(`** Pushing commit`); | ||
|
||
await git.addRemote('upstream', `https://${process.env.GITHUB_ACTOR}:${token}@github.com/${process.env.GITHUB_REPOSITORY}.git`); | ||
await git.addRemote('upstream', `https://github-actions:${process.env.GITHUB_TOKEN}@github.com/${process.env.GITHUB_REPOSITORY}.git`); | ||
|
||
log(`${status}`); | ||
|
||
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this changed because the github token parameter is no longer necessary?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The token is still necessary, but it is fetched in another way. If a workflow provides a custom
git_actor_token
, then that token will be used instead of the defaultGITHUB_TOKEN
.REUSABLE_frontend.yml:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry I don't get it. there is no git_actor_token for this action build though, it seems like the
github_token
parameter is no longer used after this PR, but is still documented. Though I still can't tell if it's no longer necessary here because the new upstream link doesn't require passing a token from the origin repo:https://${process.env.GITHUB_ACTOR}:${token}@github.com/${process.env.GITHUB_REPOSITORY}.git
vs
https://github-actions:${process.env.GITHUB_TOKEN}@github.com/${process.env.GITHUB_REPOSITORY}.git
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The
github_token
will continue to be used after this PR.Let's say an extension provides the new
git_actor_token
secret to theREUSABLE_frontend.yml
workflow of core. At https://github.com/flarum/framework/pull/4099/files#diff-8f0cab030414f9e64c7444c9011370f3435c52893686c91babdb72810568b0dcR136-R137 we are checking if that token is provided or not. If yes, theGITHUB_TOKEN
will be reassigned with the value of the token provided by the extension. If not, the defaultGITHUB_TOKEN
will be used.About the upstream link; If I recall correctly, It didn't actually make a difference if I used
${process.env.GITHUB_ACTOR}
orgithub-actions:
for the upstream link during testing. Usinggithub-actions:
felt cleaner to me.Does that make sense?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@DavideIadeluca sorry but you keep linking to the part of the workflow about actions/checkout, but this is about actions/build
https://github.com/flarum/framework/pull/4099/files#diff-8f0cab030414f9e64c7444c9011370f3435c52893686c91babdb72810568b0dcR165
I am still confused whether
github_token
the parameter for this actionflarum/action-build@v4
which is this repository (notactions/checkout@v4
) is still needed/can be completely removed, or why the removal is done.I understand everything else about the git actor, just the github_token parameter is still confusing to me. As this PR leaves it in a state of documented and supplied by the fremework but not actually used by the action itself
I may be forgetting something, what's the relation between the token passed to the checkout action and this build action?