Browser Build "Validate Secrets" Improvements #77
Conversation
|
This looks really good to me! I don't see any reason to hold it up. The changes are all surgical and will definitely save additional support cycles. As you say, further changes can be made in subsequent PRs. |
|
Summary: This was able to identify problems with 4 of the 6 secrets and provide easy to read messages TEAMID - an error in TEAMID (other than in number of characters) cannot be identified until the build fails Testing Details: I created a branch at my LoopWorkspace repo and merged this file. (branch name dev_plus_pr77). All 6 of my secrets are valid and stored safely. Test 2: Change all 6 to be incorrect. Note - issuer-id - I replaced a digit with a Q which made it invalid
Test 3: Modify GH_PAT and FASTLANE_ISSUER_ID to be correct (note TEAMID is still incorrect).
Test 4: Modify FASTLANE_KEY to be correct content but bad format - same error message Test 5: Modify FASTLANE_KEY to be correct content and format
Test 6: update FASTLANE_KEY_ID (Note that TEAMID is still wrong)
Test 6 B: Only Four of Six secrets are OK, move on to Add Identifiers
Test 7: Update to correct TEAMID and move on to Create Certificates (MATCH_PASSWORD is still incorrect)
|
|
Thanks for this @marionbarker. The fastfile's validate routine could be updated to include a fastlane match, which will catch the bad MATCH_PASSWORD up front. Edit: Perhaps that should remain out of scope for this PR though, since the next related objective is to extract error messages/exit codes from fastlane's output, and that change would be required to give a good, descriptive annotation and identify the bad secret here. |
As I think this over, a separate match validation routine could be added to the fastfile, which would separate the validation of the App Store Connect (i.e., FASTLANE) secrets from the match (i.e., MATCH_PASSWORD and GH_PAT) secrets without any further work on extracting/parsing known fastlane errors. |
Just want to note: The bad decrypt error only happens for repeat builders that have stored certificates in the @marionbarker additional testing, if you want to do that, would be to remove permissions for Also a learning I bad while implementing these validations (which is quite obvious when you think about it, still): The |
|
Suggestions
Continued testing:
Test 1: New repo is not spelled correctly and is public and GH_PAT has no scopes selected.
Test 2: Now spell the (public) Match-Secrets correctly
Test 3: deleted the public repo and renamed my private one back to the correct name, GH_PAT still has no scope selected
|
|
Thank you for testing and your ideas @marionbarker Suggestion 1: Not possible if the repo is private (which it should). If the GH_PAT lacks permissions (which we check), then we cannot list private repos in the repo query that is used for the Match-Secrets spelling check. That’s why the order is as it currently is - token existence first, then token permissions, then spelling for Match-Secrets. Suggestion 2: I can look into it, maybe it can be done with a bit of a workaround where we make a query without proving a token and if Match-Secrets is not listed we query it with the token and it should be listed then - that way we could probably verify that it’s indeed private. I‘ll have to fiddle around a bit and try that; it seems a bit hacks though. |
|
If Match-Secrets is public - you'll be able to see it and should tell them to make it private. |
|
Testing continued: this shows me this error message: |
Was going to test something along those lines, yes, but want to make sure it doesn’t give errors when it shouldn’t. I‘ll test around a bit 😊 |
|
next test: TEAMID is 9 characters and includes a lower case letter:
Change it to be 10 characters but still with a lower case letter
|
|
So while working on this PR this afternoon, I had an idea and I want to just put it here to get some feedback, so pinging you guys – @marionbarker @billybooth @bjorkert @bjornoleh @ps2 . One suggestion was to check whether the potential Looper has created the That would
Building on this, is there a good way to check for a "correct" We would have to run a So how about we do this:
gh api \
--method GET \
-H "Authorization: token $GITHUB_TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
/repos/${{ github.repository_owner }}/Match-Secrets/commits \
What do you guys think? Yay or nay? |
I think this is clearly a yay, since it represents a significant reduction in the initial setup for new builders. If you wanted, you could even create the In any case, I think this is a good justification for moving the All in all though, hard "yay" from me, since (in general), you have all of the pieces and permissions required to create the |
|
Regarding fine-grained token - no expiration date is not an option. The nominal Loop builder should use classic token and select no expiration. |
|
I've pushed various changes that incorporate most of the suggestions and test feedback I have gotten here and through private chats. Thanks to @billybooth for reworking the This can/should be re-tested, happy to get feedback :) |
… are handled correctly
…ation across reusable job names * This commit is purely aesthetic and aims to make the display names of Jobs consistent across workflows. Likewise, makes spacing and validation error messages consistent.
…ions * Trivial changes to FASTLANE / ASC error annotations (mention 'Keys' tab)
|
We have tested this PR extensively following the merge yesterday of PR #71. Test 1. "Good SECRETS - existing builder", build action successful:
Test 2. "Good SECRETS - new builder", all actions successful:
Many Tests for "Bad" SECRETS:
|
|
With my default branch set to dev_plus_pr77, (dev with PR 77 merged), the time for the first weekly automatic check for updates ran successfully: Build Loop log That branch was already up to date, so the build action was skipped. It ended with a success after 1 min 14 sec. One thing that may not have been mentioned about this PR (#77) is that the action log has a very clean layout that is much easier to interpret.
|
|
Looks good! Thanks all! |
* Bring in MinimedKit project fix * Add debug log to TidepoolKit * TidepoolKit and TidepoolService updates * Fix double inclusion of ru, and add hi locale * Update LoopKit submodule * Remove TidepoolKitUI references * Ensure food entries have name set * Tidepool carb upload fix refinement * Add initialization error logging to TidepoolService * TidepoolService updates * Omnipod ref codes fixes * Bring in TidepoolService and NightscoutService changes * Fix tests * Update circleci job name * change default job name in circleci * Add version * Bring in RemoteCommands PRs * Ensure each submodule branch is at its HEAD before branching * Bring in latest translations * Readlink fix * Fastfile: Add time sensitive notifications to identifier setup (LoopKit#50) * Fastfile capabilities: add Time Sensitive Notifications to Loop target Spaceship::ConnectAPI::BundleIdCapability::Type::USERNOTIFICATIONS_TIMESENSITIVE * Remove instructions for manually adding Time Sensitive Notifications * G7SensorKit changes * Meal detection fixes for mmol/L * Reorg ps2 frameworks (LoopKit#53) * Update gitmodules to point to LoopKit repos instead of ps2 repos * Moving submodules * Add renamed projects * Nightscout remote cgm rename (LoopKit#54) * Update gitmodules * Update NightscoutRemoteCGM submodule references, and project references * Update submodule rev ro NightscoutRemoteCGM * Always upload artifacts * Changes from Tidepool (LoopKit#55) * Changes from Tidepool * Update to dev * Add merges for NightscoutRemoteCGM and G7SensorKit * Fix tests * Use MKRingProgressView from swift package * Update TidepoolKit * Add Minizip project back in * Update TidepoolKit * Update to ZipFoundation for providing zip file creation abilities (LoopKit#56) * Update to ZipFoundation for providing zip file creation abilities * Update Loop * Update to dev * Warnings cleanup * Tidepool sync (LoopKit#58) * Changes from Tidepool * Update to dev * Add merges for NightscoutRemoteCGM and G7SensorKit * Fix tests * Tidepool Merge * Fix merge issues * Update packages * Add branch name to build name (LoopKit#52) * G7 sensor reading age fix * Another G7 date issue fixed * Status wiget glucose age calc fix * Bring in latest submodule changes * Use current Xcode * Bump xcode version for github workflows * Update github actions to use macos 13, with latest Xcode * Bring in Loop and LoopKit changes * G7 HKDevice update * Bring in LoopKit crash fix * Algorithm experiments (LoopKit#62) * Turn on algorithm experiments * Loop updates * IRC added as experiment * Update Loop submodule * Bring in analytics changes * Bring in IRC fix * Analytics fix * Adding Libre Integration (LoopKit#51) * Libre testing branch * Update submodule * Update libre branch to latest dev * Fixes * Add NFC entitlement * Update LibreTransmitter to main branch * Update submodules to latest dev * update submodule * Add duration to suspend event * Update Nightscout service and LoopKit * Submodule updates * Add NFC_TAG_READING to fastlane bundle id configuration for Loop * Update ZipFoundation revision * Critical log export fix * Tidepool merge (LoopKit#65) * Removing TidepoolKit * Removing TidepoolKit * Update submodules * Add scheduled sync and build, and allow for customization of Loop with GitHub Actions / Fastlane builds (LoopKit#43) * Scheduled sync and build, with option to customize Loop Changed template for scheduled runs to every month Added env variables for - upstream and target repo/branches - sync upstream 'true'/'false' - customize app 'true'/'false' Added sync action (aormsby/Fork-Sync-With-Upstream-action) to the (sync and) build job Added gautamkrishnar/keepalive-workflow to avoid expiration of scheduled workflows due to repository inactivity (60 days max). Adds an empty commit to fork if no activity during the last 27 days. Added Customize Loop action, which - applies any patches located in the LoopWorkspace/patches/ directory (@billybooth) - downloads (wget) and applies submodule patches specified in build_loop.yml Added (commented-out) CustomTypeOne/LoopPatches as templates for Loop and LoopKit submodule patches. * Add ./patches/save_patches_here.md * build_loop.yml: update patch templates for submodules * build_loop.yml: comment out patch template for submodule Loop * build_loop.yml: patch template app name = CustomLoop * Update build_loop.yml: fix typo * Update save_patches_here.md: fix typo * build_loop.yml: delete test_mode * build_loop.yml: remove env CUSTOMIZE_APP * Update build_loop.yml: remove remaining env CUSTOMIZE_APP refs * build_loop.yml: remove '--exclude=' from 'git apply' * Create update.yml - runs on a frequent schedule - checks out LoopWorkspace `main` - compares and syncs with LoopKit/LoopWorkspace (unless owner = LoopKit) - keepalive action adds empty commits to LoopKit/LoopWorkspace `main` after `time_elapsed` days to to avoid inactivation of scheduled workflows, when these updates are passed on to forks (only if owner = LoopKit) - launches build_loop.yml workflow on forks to sync and build if new commits are found (unless owner = LoopKit) * Remove keepalive action from build_loop.yml - keepalive action moved to update.yml * Adapt build_loop.yml and update.yml to be run in an "actions" branch to be set as default, and used to trigger scheduled builds of the main branch. Empty commits are added to an "actions" branch only (must be created by the user and set as default) to keep this branch "alive" and allow scheduled workflows to run uninterrupted (max 60 days of inactivity). The empty commits will not be included in the resulting TestFlight builds of main. Removed conditionals regarding LoopKit repository. * build_loop.yml: Add job names for `secrets` and `upstream_sync_and_build` * update.yml: shorter job name for `check_latest_from_upstream`: Check upstream * build_loop.yml: use curl instead of wget for downloading patches * Changes to build_loop.yml and update.yml: build_loop.yml: -Remove sync action from build_loop.yml -build on schedule on the 1th every month for a predictable build schedule well within the 90 day TestFlight limit. The time of day should be chosen as a time where ongoing changes are unlikely during releases (nighttime). -rename env TARGET_BRANCH to BUILD_BRANCH - use current branch as BUILD_BRANCH for easy switching to building main or dev (manually insert alternative branch names as needed) update.yml: - check for updates every day - use current branch name for UPSTREAM_BRANCH and TARGET_BRANCH, to easily switch between dev and main by changing default branch, without any code changes. - do not run the upstream sync action on the upstream LoopKit repository - time_elapsed: 50 days for keepalive action * Add branch name to run-names - with round brackets around branch name for readability: (${{ github.ref_name }}) * Remove mention of setting TARGET_BRANCH as default, since its not fixed * Move update and keep alive features to build_loop.yml - Checks for updates nightly - Ensures repository activity - Launches Build job if new commits are found, or if run manually - Workflow file cleanup * Delete update.yml * testflight.md: update GH_PAT instructions * Change the Expiration selection to `No expiration`. * Select the `repo` and `workflow` permission scopes. * testflight.md instructions: Create a branch named "alive" * testflight.md: rephrase section on ‘Create a branch named "alive"’ * Added MixpanelService to Loop (LoopKit#63) * Added MixpanelService to Loop * Update module url * bump mixpanel * Xcode 15 Beta 3 fixes * Remove unused project refs, and update MixpanelService signing * build_loop.yml: Disable upstream sync with optional repository variable (LoopKit#67) Set an optional "SYNC_UPSTREAM" repository variable to 'false' to disable syncing of fork with the upstream repository * Update submodules (LoopKit#68) G7 Logging fix Libre Demo retain fix NightscoutRemoteCGM fix deployment target * build_loop.yml: Separate checkout repo for building (LoopKit#69) * build_loop.yml: build_loop.yml: Separate checkout repo for building Checkout for syncing without submodules: recursive * build_loop.yml: remove "submodules: recursive" from checkout for syncing, fix typo. * Bring in IRC changes and always use dynamic carbs * Bring in changes to move charts to LoopKit * Homescreen Medium Widget, and insulin suspension forecast preview * Fastlane widget bundleid updates (LoopKit#75) * Update build_loop.yml * Update build_loop.yml * Update Fastfile for widget extension bundle id change * Adding top-to-bottom algorithm test * Submodule updates * Fix for crash when running forecast previews * Tidepool Sync (LoopKit#80) * Sync script updates (LoopKit#81) * Tidepool Sync * Make sure diffs exist, merge in LoopKit updates * Bring in LoopDataManager race condition fix * Update translation repo list * Update translations from Lokalise (LoopKit#82) * Update translations from Lokalise * Bring in translations for more repos * Bring in translations for more repos * Scheduled build improvements (LoopKit#71) * Add conditional scheduled build and sync * Update testflight.md with instructions for scheduling setup * Fix typo * Remove GITHUB_TOKEN; use GH_PAT instead * Update testflight.md with instructions how to add workflow scope * Fixed conditions for scheduled build * Fix upstream repo owner * Refactor build to use workflow permissions and auto-create alive branch * Change GITHUB_TOKEN to GH_PAT * Change token to GITHUB_TOKEN where appropriate; Make env variable names more descriptive * Fix broken alive branch auto-creation * Update testflight.md with opt-out and new config info * Update cron for sync and schedule, update build condition * Fix typo… * Update testflight.md with suggestions and re-organized contents * Fix typo from PR74 * Browser Build "Validate Secrets" Improvements (LoopKit#77) * Added improved validation and more descriptive error messages * Add validations from suggestions and test feedback * Modify validate_secrets to run in readonly mode * Streamline naming 1/3 * Streamline naming 2/3 * Streamline naming 3/3, add back validation preceding build * Fix LoopWidgetExtension bundle identifier * Add fastlane patterns back after accidentally removing them * Fix Match-Secrets auto-creation and if-condition * validate_secrets.yml: Set pipefail option so that fastlane exit codes are handled correctly * workflows: Include branch in (run) names and use consistent capitalization across reusable job names * This commit is purely aesthetic and aims to make the display names of Jobs consistent across workflows. Likewise, makes spacing and validation error messages consistent. * validate_secrets.yml: Make annotations more "actionable". * validate_secrets.yml: Improve error annotations around GH_PAT permissions * Trivial changes to FASTLANE / ASC error annotations (mention 'Keys' tab) --------- Co-authored-by: Billy Booth <[email protected]> * Bump submodule refs * More carb entry fixes * Omnipod debug logging updates * Fixes for automated builds (LoopKit#83) * Fix broken upstream sync; Remove orphaned environment variable * Fix condition for automated alive branch creation * Disable meal detection when calibrations are present, and localization fix * Bring in fixes for negative duration dose prevention * Bring in functional algo support * Bring in changes for app expiration warning for testflight builds * Tidepool sync * Fix cron schedule for automated sync and build (LoopKit#87) * Fix cron schedule for sync and build * Update cron tab descriptions in testflight.md * Fix typo in comment * Adding missing hindi translations for app intents * Update build destinations * GH Actions: Improve secrets validation (LoopKit#86) * validate_secrets.yml: Pass a "Could not install WWDR certificate" error through validation * validate_secrets.yml: Improve annotation when a public Match-Secrets repo exists * validate_secrets.yml: Rewrite Match-Secrets validation to be explicit about the Match-Secrets repository that will be used When the GH account that the GH_PAT token was created under does not match the repository_owner of the LoopWorkspace repository, the validation routine used a different Match-Secrets repository than fastlane. * validate_secrets.yml: Rewrite GH_PAT validation to capture scopes and distinguish between classic and fine-grained access tokens * validate_secrets.yml: Fix syntax error in Match-Secrets validation job * validate_secrets.yml: Depend less on patterns / read scopes from any token that provides them * Provide HAS_WORKFLOW_PERMISSION as an output * validate_secrets.yml: Annotate failures from unaccepted Apple PLAs * validate_secrets.yml: Fix typo and improve annotation when GH_PAT is invalid * validate_secrets.yml: Improve annotation when authorization fails and token format is unknown * validate_secrets.yml: Minor wording tweak * Update Fastlane to 2.215.0 (LoopKit#88) * Update Gemfile.lock for Fastlane to 2.215.0 Among other improvements, this should fix the WWDR issue. * build_loop.yml: Install bundle, bundle exec - bundle install - bundle exec fastlane build_loop - bundle exec fastlane release * Update Gemfile.lock Commands used to install bundler and update dependencies: sudo gem pristine ffi sudo gem install bundler sudo bundle install sudo bundle update fastlane * Don't install bundler, which comes with Ruby 2.7+ * Install dependencies and use bundler to exec fastlane across workflows --------- Co-authored-by: Billy Booth <[email protected]> * Bring in CGM Event Store * Add Mixpanel service to sync * Bring in Tidepool sync * Bump Loop submodule rev * Service state restoration fix * Upload pod changes to Nightscout as Site Change treatments, for the cannula age (CAGE) pill * MDT Set change upload * Bug fix for mdt set change detection, and upload pump alarms to NS * Add widget fixes * Update circleci build to xcode 15 (LoopKit#89) * Update circleci build to xcode 15 * Update workflow to build with Xcode 15 * Bump device * Fix iphone version * Run tests on iOS 16.4 until iOS 17 simulators are working * Include pending insulin in dosing decision * Update build settings to avoid macos build during translation import * Bump RileyLinkKit rev * heartbeat setup fix, and OmniKit translations * Add slide button cannula insertion * Disable autolock during pod pairing (Dash) * Sync the GitHub runner clock with the Windows time server (LoopKit#98) Adding a step to workflow jobs that interface Apple servers, as a workaround for build issues caused by runner clocks being out of sync. See https://github.com/actions/runner issue number 2996 for details. name: Sync clock run: sudo sntp -sS time.windows.com Added to the following workflows / jobs: validate_secrets.yml / validate-fastlane-secrets add_identifiers.yml / identifiers build_loop.yml / build create_certs.yml / certificates * Update submodules * update to rev of SlideButton package that handles rtl languages (LoopKit#103) * Bump submodule revs * Bring in test updates for iOS 17 * include flag for DEBUG_FEATURES_ENABLED by default (LoopKit#111) * Update submodules for guardrails crash, simulator settings access, and pod pairing UI resumption * Bring in OmniBLE updates * Bring in latest submodule revs * Update browser build action dependencies to meet GH node version requirements (LoopKit#120) * Bump submodule refs * Change GITHUB_TOKEN to user-created GH_PAT (LoopKit#125) Fixes permission issues where GH api responds with: ```swift gh: Resource not accessible by integration (HTTP 403) {"message":"Resource not accessible by integration","documentation_url":"https://docs.github.com/rest/git/refs#create-a-reference"} Error: Process completed with exit code 1. ``` because the default, auto-created GITHUB_TOKEN cannot be given appropriate content write permissions to create branches in the owner's repository * Update Gemfile.lock to bump Fastlane to 2.220.0 (LoopKit#126) * Update testflight.md - apple moved keys under integrations (LoopKit#112) * Update testflight.md - apple moved keys under integrations * Fix typo * Update fastlane and macOS (LoopKit#143) * update Fastlane to 2.221.1 * update runners to macOS 14 * Update submodules * Ps2/xcode15.4 (LoopKit#145) * Update to xcode15.4 * update ios version used in circleci builds * update ios version used in circleci builds * Update build_loop.yml (LoopKit#146) * Update submodule for CGMBLEKit * Update to Loop 3.4 Release * Fix browser build sync and alive behavior (LoopKit#164) * Fix browser build sync and alive behavior - Added logic to extend the alive check for the existence of either `alive-main` or `alive-dev` branches. - Resolved an issue where unexpected successes were occurring when failures were expected. - Implemented a check to determine the existence of the `alive-main` and `alive-dev` branches and create them if they do not exist. - Introduced a mechanism to identify the current branch being run (either `main` or `dev`). - Based on the current branch, the corresponding alive branch (`alive-main` or `alive-dev`) will be used to check for upstream changes. - Set a new variable `ABORT_SYNC` to `true` when the current branch is neither `dev` nor `main`. - The syncing attempt will proceed based on the `ABORT_SYNC` variable status. - Ensured proper branch synchronization to prevent build inconsistencies and failures - Addresses issue LoopKit/Loop#2192 - Updates app store connect link for validation error hints to new Apple URL scheme * 💚 Security Fix Co-Authored-By: ebouchut <[email protected]> --------- Co-authored-by: ebouchut <[email protected]> * Update for Loop 3.4.1 --------- Co-authored-by: Pete Schwamb <[email protected]> Co-authored-by: bjornoleh <[email protected]> Co-authored-by: Marion Barker <[email protected]> Co-authored-by: Cameron Ingham <[email protected]> Co-authored-by: Noah Brauner <[email protected]> Co-authored-by: Deniz Cengiz <[email protected]> Co-authored-by: Billy Booth <[email protected]> Co-authored-by: Marion Barker <[email protected]> Co-authored-by: ebouchut <[email protected]>
This PR is the first of probably a set of PRs over the next couple of weeks (and months?) that aim to improve Loop's browser build's validation and error handling. It further aims to provide more descriptive error messages for common errors that first time builder's come across, such as:
Match-Secretsrepository (with the current implementation if that repository is incorrectly set up the error will point towardGH_PATissues)TEAMID,FASTLANE_KEY_ID,FASTLANE_ISSUER_ID)Contents:
Match-SecretsexistenceTEAMIDcase sensitivity checkFASTLANE_KEY_IDcase sensitivity checkFASTLANE_KEY_IDlength checkFASTLANE_ISSUER_IDformat check (adhering to UUID).Match-Secrets(existence and visibility == private) and can automatically create it if non-existentMATCH_PASSWORDto avoidbad decrypterrors when users change their secret between buildsAs always, open for feedback and input. Thanks to @billybooth and @bjorkert for being great sparring partners to trade ideas back and forth with.