GitHub Actions

Justin Obara obara.justin at gmail.com
Mon Jun 22 12:04:24 UTC 2020


Hi all,

I just wanted to expand on Gio’s point about secrets, as it prevents/limits some integrations with Pull Requests (PRs) from forks. For example, you need a secret for the action to comment on a PR, so this type of action would not be possible with a PR from a fork. The GITHUB_TOKEN <https://help.github.com/en/actions/configuring-and-managing-workflows/authenticating-with-the-github_token#permissions-for-the-github_token> is available to PRs from forks; however, access is read only. 

For clarification, a PR from a fork is how we typically work in our community. We have a project repository that contains the canonical source. A contributor will fork this repo to their own GitHub space, create a branch from their fork to make the changes, and submit a Pull Request back to the project’s repository. Because the source, for these PRs, doesn’t reside in the project repository, for security purposes they won’t have access to the secrets. Which is reasonable to prevent logging or distributing the secret just by submitting a PR (if the GitHub Action is modified in the PR). Or causing other project wide issues like modifications that the GITHUB_TOKEN might provide if write access was available.

I’m actually running into this right now as I’m looking at adding Lighthouse CI integration <https://github.com/inclusive-design/wecount.inclusivedesign.ca/issues/267> into the WeCount <https://wecount.inclusivedesign.ca/> site. The Lighthouse GitHub Action will communicate with the Lighthouse GitHub App <https://github.com/apps/lighthouse-ci> to add status checks for the results, but requires a secret to do so. So we’re not able to make use of this feature for our PRs.

See: https://github.community/t/github-actions-are-severely-limited-on-prs/18179 <https://github.community/t/github-actions-are-severely-limited-on-prs/18179>

It doesn’t look like this has affected any of our current transitions. However, it’s worth being aware of for setting up your own GitHub Actions jobs. Some work arounds I’ve seen suggested:

Expose the secret as plain text ( I wouldn’t suggest doing this )
Possibly mediate through a GitHub App, or move that action to a GitHub App. For example the Netlify GitHub App <https://github.com/apps/netlify> handles deploying the PRs.

Thanks
Justin

> On Jun 20, 2020, at 10:40 AM, Giovanni Tirloni <gtirloni at ocadu.ca> wrote:
> 
> It runs automatically, there's no authorization required.
> 
> This would be a problem with Jenkins runners because that meant arbitrary code could be executed on our infrastructure.
> 
> It's less of a problem with GitHub Actions because the CI jobs run on GitHub-owned runners (so they deal with any abuse, not us) and PRs from other repositories do not have access to the secrets stored in our repositories (i.e. even if a PR were to trigger a deploy job, it wouldn't have access to, say, the SSH private key or some other token required for that).
> 
> From: Antranig Basman <antranig.basman at colorado.edu>
> Sent: Saturday, June 20, 2020 05:47
> To: fluid-work at lists.idrc.ocad.ca <fluid-work at lists.idrc.ocad.ca>; Giovanni Tirloni <gtirloni at ocadu.ca>
> Subject: Re: GitHub Actions
>  
> Cheers, this is brilliant work and great to reduce our dependence on 
> Jenkins. Does the CI job run automatically for every update to a PR, or 
> is there some equivalent of the old "ok to test" system?
> 
> On 19/06/2020 13:31, Giovanni Tirloni wrote:
> > Hi Tony,
> > 
> > I translated the Jenkins configuration that lived in the ci-service 
> > repository:
> > 
> > https://github.com/fluid-project/ci-service/blob/master/jenkins_jobs/infusion-pull-request.yml <https://github.com/fluid-project/ci-service/blob/master/jenkins_jobs/infusion-pull-request.yml>
> > 
> > Into the GitHub Actions workflow configuration that lives in each code 
> > repository:
> > 
> > https://github.com/fluid-project/infusion/blob/master/.github/workflows/main.yml <https://github.com/fluid-project/infusion/blob/master/.github/workflows/main.yml>
> > 
> > Instead of using our Jenkins node (located in the IDRC datacenter), it's 
> > using the GitHub-hosted runners.
> > 
> > 
> > 
> > Here we say the workflow should run on pushes and PRs for the master 
> > branch only:
> > 
> > on: push: branches: [ master ] pull_request: branches: [ master ]
> > 
> > 
> > 
> > The CI job runs on ubuntu-latest (for now, there's a PR to run it on 
> > Windows as well):
> > 
> > jobs: build: runs-on: ubuntu-latest
> > 
> > 
> > The build strategy means GitHub will template/duplicate the build 
> > definition for each of these values. They are just strings but it means 
> > we're testing against Node.js 10.x and 12.x:
> > 
> > strategy: matrix: node-version: [10.x, 12.x]
> > 
> > 
> > 
> > We pass the HEADLESS env var so our tests run in Firefox/Chrome headless:
> > 
> > env: HEADLESS: true
> > 
> > 
> > Then come the actual build instructions. We first do a Git checkout of 
> > the repo:
> > 
> > 
> > steps: - uses: actions/checkout at v2
> > 
> > 
> > 
> > 
> > Then we install the Node.js version we want, based on that matrix 
> > definition above.
> > 
> > - name: Use Node.js ${{ matrix.node-version }} uses: 
> > actions/setup-node at v1 with: node-version: ${{ matrix.node-version }}
> > 
> > 
> > And the usual build commands in separate Steps:
> > 
> > - name: Install Node.js dependencies run: npm install - name: Code 
> > linter run: $(npm bin)/grunt lint - name: Browser tests run: $(npm 
> > bin)/testem ci --file tests/testem.js - name: Node.js tests run: $(npm 
> > bin)/nyc node tests/node-tests/basic-node-tests.js
> > 
> > 
> > 
> > We are not using any special Action but there's a marketplace of them: 
> > https://github.com/marketplace?type=actions <https://github.com/marketplace?type=actions> . They are basically Git 
> > repos with docker images or Javascript to run arbitrary code.
> > 
> > 
> > The syntax reference for Workflow files is here: 
> > https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions <https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions>
> > 
> > Regards,
> > Giovanni
> > 
> > 
> > ------------------------------------------------------------------------
> > *From:* Tony Atkins <tony at raisingthefloor.org>
> > *Sent:* Friday, June 19, 2020 06:20
> > *To:* Giovanni Tirloni <gtirloni at ocadu.ca>
> > *Cc:* fluid-work at lists.idrc.ocad.ca <fluid-work at lists.idrc.ocad.ca>
> > *Subject:* Re: GitHub Actions
> > Hi, Gio.
> > 
> > Great to hear this.  I know we could all work our way through the 
> > documentation and experiment with our own projects in time, but It'd be 
> > great for maintainers in the community to save time by learning from 
> > what you had to do.  Would you be able to briefly write up what you had 
> > to do or possibly demo/present briefly in an upcoming meeting?
> > 
> > Cheers,
> > 
> > 
> > Tony
> > 
> > On Tue, 16 Jun 2020 at 21:46, Giovanni Tirloni <gtirloni at ocadu.ca 
> > <mailto:gtirloni at ocadu.ca <mailto:gtirloni at ocadu.ca>>> wrote:
> > 
> >     Hello,
> > 
> >     It seems GitHub Actions is working as expected.
> > 
> >     With that in mind, I'd like to disable Jenkins for the two Fluid
> >     repos that have builds enabled: Infusion and Kettle.
> > 
> >     Please let me know if there are any concerns.
> > 
> >     Regards,
> >     Giovanni
> > 
> >     ------------------------------------------------------------------------
> >     *From:* Giovanni Tirloni <gtirloni at ocadu.ca <mailto:gtirloni at ocadu.ca <mailto:gtirloni at ocadu.ca>>>
> >     *Sent:* Monday, April 20, 2020 18:10
> >     *To:* fluid-work at lists.idrc.ocad.ca
> >     <mailto:fluid-work at lists.idrc.ocad.ca <mailto:fluid-work at lists.idrc.ocad.ca>>
> >     <fluid-work at lists.idrc.ocad.ca <mailto:fluid-work at lists.idrc.ocad.ca <mailto:fluid-work at lists.idrc.ocad.ca>>>
> >     *Subject:* GitHub Actions
> >     Hello,
> > 
> >     We're running an experiment to see if GitHub Actions [0] is a good
> >     replacement for our current Jenkins-based CI system.
> > 
> >     I've enabled Actions in the fluid-project/infusion repository today.
> >     Every new PR (and updates to old PRs) and commits to the master
> >     branch will trigger CI builds in both GitHub Actions and Jenkins.
> >     We'll run them in parallel for a while to collect usage data.
> > 
> >     The GitHub Actions workflow has a few benefits for us:
> > 
> >       * GitHub-owned runners so we don't need to worry about maintaining
> >         our own servers
> >       * Configuration As Code: the CI configuration lives in the
> >         repository and can be modified with PRs
> >       * Better integration with the GitHub UI
> > 
> >     We'll be trying more customizations in the near future but for now
> >     the GitHub Actions workflow in the Infusion repository more or less
> >     mimics the actions of the Jenkins-based pipeline configuration in
> >     the fluid-project/ci-service repository. For example, it doesn't yet
> >     publish a new Infusion build when commits are made to the master
> >     branch, that's coming next as it requires changes to how we do
> >     deployments.
> > 
> >     If you notice any issues or have any feedback, please feel free to
> >     reach out. If we have a good experience with Actions, we'll add it
> >     to more repositories.
> > 
> >     0 - https://github.com/features/actions <https://github.com/features/actions>
> > 
> >     Regards,
> >     *Giovanni Tirloni*
> >     DevOps Engineer
> >     Inclusive Design Research Centre, OCAD University
> >     https://idrc.ocadu.ca <https://idrc.ocadu.ca/> <https://idrc.ocadu.ca/ <https://idrc.ocadu.ca/>>
> >     _______________________________________________________
> >     fluid-work mailing list - fluid-work at lists.idrc.ocad.ca
> >     <mailto:fluid-work at lists.idrc.ocad.ca <mailto:fluid-work at lists.idrc.ocad.ca>>
> >     To unsubscribe, change settings or access archives,
> >     see https://lists.idrc.ocad.ca/mailman/listinfo/fluid-work <https://lists.idrc.ocad.ca/mailman/listinfo/fluid-work>
> >     <https://secure-web.cisco.com/1Fy-8-ua8W6t3cX3JF5jTBrt88lp9HKvCSV88HJAKxL7x75oqEU4qXmAa_9sgV6xQku8aZu8pnTzBjqNSlXP4DN1CWek1LTAPA5l1EGY0qilcVP6rOKfAkT2izCYY63UYigTB2DTH5Bf6xssOBCLbM_ADTukmeMoifPbqB0VtX1UP4q4QuVz709QJiBzTbJAIaHm1NqcoyEtThtgvrNxQCYLHesamfYcbGNWlii_k2JQS3fTbbpfSG6GsGYJAmkOp5ctLbPjiWWKHK7WscDf4P2eewODDIl-MChsRIxzNIAXUz0HbaqxFGQArrXImWpuUo6XVFoJtFNJIrmVhDWJS4rnCTgAfyax2wXJKBV2lFcCnfofkTpjwanxh67e8aWA_qOChtYtb5Tqwhjlu87DJBvtjQZAOh_5lChfHUcrgq8OaCy9rOBwIK8ZOnTIrtyKZemKQhMeC1MnbULvZHgRpBg/https%3A%2F%2Flists.idrc.ocad.ca%2Fmailman%2Flistinfo%2Ffluid-work <https://secure-web.cisco.com/1Fy-8-ua8W6t3cX3JF5jTBrt88lp9HKvCSV88HJAKxL7x75oqEU4qXmAa_9sgV6xQku8aZu8pnTzBjqNSlXP4DN1CWek1LTAPA5l1EGY0qilcVP6rOKfAkT2izCYY63UYigTB2DTH5Bf6xssOBCLbM_ADTukmeMoifPbqB0VtX1UP4q4QuVz709QJiBzTbJAIaHm1NqcoyEtThtgvrNxQCYLHesamfYcbGNWlii_k2JQS3fTbbpfSG6GsGYJAmkOp5ctLbPjiWWKHK7WscDf4P2eewODDIl-MChsRIxzNIAXUz0HbaqxFGQArrXImWpuUo6XVFoJtFNJIrmVhDWJS4rnCTgAfyax2wXJKBV2lFcCnfofkTpjwanxh67e8aWA_qOChtYtb5Tqwhjlu87DJBvtjQZAOh_5lChfHUcrgq8OaCy9rOBwIK8ZOnTIrtyKZemKQhMeC1MnbULvZHgRpBg/https%3A%2F%2Flists.idrc.ocad.ca%2Fmailman%2Flistinfo%2Ffluid-work>>
> > 
> > 
> > _______________________________________________________
> > fluid-work mailing list - fluid-work at lists.idrc.ocad.ca
> > To unsubscribe, change settings or access archives,
> > see https://secure-web.cisco.com/1Fy-8-ua8W6t3cX3JF5jTBrt88lp9HKvCSV88HJAKxL7x75oqEU4qXmAa_9sgV6xQku8aZu8pnTzBjqNSlXP4DN1CWek1LTAPA5l1EGY0qilcVP6rOKfAkT2izCYY63UYigTB2DTH5Bf6xssOBCLbM_ADTukmeMoifPbqB0VtX1UP4q4QuVz709QJiBzTbJAIaHm1NqcoyEtThtgvrNxQCYLHesamfYcbGNWlii_k2JQS3fTbbpfSG6GsGYJAmkOp5ctLbPjiWWKHK7WscDf4P2eewODDIl-MChsRIxzNIAXUz0HbaqxFGQArrXImWpuUo6XVFoJtFNJIrmVhDWJS4rnCTgAfyax2wXJKBV2lFcCnfofkTpjwanxh67e8aWA_qOChtYtb5Tqwhjlu87DJBvtjQZAOh_5lChfHUcrgq8OaCy9rOBwIK8ZOnTIrtyKZemKQhMeC1MnbULvZHgRpBg/https%3A%2F%2Flists.idrc.ocad.ca%2Fmailman%2Flistinfo%2Ffluid-work <https://secure-web.cisco.com/1Fy-8-ua8W6t3cX3JF5jTBrt88lp9HKvCSV88HJAKxL7x75oqEU4qXmAa_9sgV6xQku8aZu8pnTzBjqNSlXP4DN1CWek1LTAPA5l1EGY0qilcVP6rOKfAkT2izCYY63UYigTB2DTH5Bf6xssOBCLbM_ADTukmeMoifPbqB0VtX1UP4q4QuVz709QJiBzTbJAIaHm1NqcoyEtThtgvrNxQCYLHesamfYcbGNWlii_k2JQS3fTbbpfSG6GsGYJAmkOp5ctLbPjiWWKHK7WscDf4P2eewODDIl-MChsRIxzNIAXUz0HbaqxFGQArrXImWpuUo6XVFoJtFNJIrmVhDWJS4rnCTgAfyax2wXJKBV2lFcCnfofkTpjwanxh67e8aWA_qOChtYtb5Tqwhjlu87DJBvtjQZAOh_5lChfHUcrgq8OaCy9rOBwIK8ZOnTIrtyKZemKQhMeC1MnbULvZHgRpBg/https%3A%2F%2Flists.idrc.ocad.ca%2Fmailman%2Flistinfo%2Ffluid-work>
> > 
> 
> _______________________________________________________
> fluid-work mailing list - fluid-work at lists.idrc.ocad.ca
> To unsubscribe, change settings or access archives,
> see https://lists.idrc.ocad.ca/mailman/listinfo/fluid-work

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.idrc.ocad.ca/pipermail/fluid-work/attachments/20200622/987db8be/attachment.htm>


More information about the fluid-work mailing list