-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use installation token for OS Botify #23760
Conversation
- name: Generate a token | ||
id: generate_token | ||
uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c | ||
with: | ||
app_id: ${{ secrets.OS_BOTIFY_APP_ID }} | ||
private_key: ${{ secrets.OS_BOTIFY_PRIVATE_KEY }} | ||
installation_id: ${{ secrets.OS_BOTIFY_INSTALLATION_ID }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@roryabraham this is just a draft while I work through this but what are your thoughts about having the token generation be in this step as opposed to an independent job? I was having some trouble figuring out how to securely pass the output of the token into another job because github actions redacts/blanks it out due to it being a sensitive value. If it's in the same job, I can reference it via ${{ steps.generate_token.outputs.token }}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So recall that setupGitForOSBotify
is an action not a worklow, so it's always going to be scoped to just a single job (and by extension a single runner). So we shouldn't need or want to pass tokens between runners.
Does that answer your question?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sort of. Are you suggesting we move this step into setupGitForOSBotify
then? And if we do that, how do we use that token in these next steps instead of the under the hood GITHUB_TOKEN
the jobs use?
The part I think I'm missing is how we access an output from one action outside of it in another step?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I think I figured it out and got a little further. Long story short, order of operations matters here because we're flipping between the action token used in the job and the new token for OS Botify
https://github.com/Expensify/App/actions/runs/5686198797/job/15412567692
I think I'm getting this next error because I need to allow OS Botify App to override our branch protections and push to main.
@robertKozik @ One of you needs to copy/paste the Reviewer Checklist from here into a new comment on this PR and complete it. If you have the K2 extension, you can simply click: [this button] |
Co-authored-by: Andrew Gable <[email protected]>
Pushed @AndrewGable's suggested change and retested here https://github.com/Expensify/App/actions/runs/5728276127/job/15522468403 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I thought maybe start here and make sure it works then update others? |
Reviewer Checklist
Screenshots/VideosWebMobile Web - ChromeMobile Web - SafariDesktopiOSAndroid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍🏼
Will let you self-merge when you're ready to live-test |
✋ This PR was not deployed to staging yet because QA is ongoing. It will be automatically deployed to staging after the next production release. |
🚀 Deployed to staging by https://github.com/justinpersaud in version: 1.3.50-0 🚀
|
🚀 Deployed to production by https://github.com/puneetlath in version: 1.3.50-3 🚀
|
🚀 Deployed to staging by https://github.com/justinpersaud in version: 1.3.51-0 🚀
|
🚀 Deployed to production by https://github.com/Julesssss in version: 1.3.51-2 🚀
|
Details
Switch our actions jobs to use an installation token instead of PAT
Fixed Issues
$ https://github.com/Expensify/Expensify/issues/299601
PROPOSAL:
Tests
https://github.com/Expensify/App/actions/runs/5717994375/job/15492912210
Offline tests
QA Steps
PR Author Checklist
### Fixed Issues
section aboveTests
sectionOffline steps
sectionQA steps
sectiontoggleReport
and notonIconClick
)myBool && <MyComponent />
.src/languages/*
files and using the translation methodWaiting for Copy
label for a copy review on the original GH to get the correct copy.STYLE.md
) were followedAvatar
, I verified the components usingAvatar
are working as expected)/** comment above it */
this
properly so there are no scoping issues (i.e. foronClick={this.submit}
the methodthis.submit
should be bound tothis
in the constructor)this
are necessary to be bound (i.e. avoidthis.submit = this.submit.bind(this);
ifthis.submit
is never passed to a component event handler likeonClick
)StyleUtils.getBackgroundAndBorderStyle(themeColors.componentBG)
)Avatar
is modified, I verified thatAvatar
is working as expected in all cases)ScrollView
component to make it scrollable when more elements are added to the page.main
branch was merged into this PR after a review, I tested again and verified the outcome was still expected according to theTest
steps.Screenshots/Videos
Web
Mobile Web - Chrome
Mobile Web - Safari
Desktop
iOS
Android