GH-38315: [Dev][CI] autotune needs additional permissions to push to PR branches #38523
Conversation
thisisnic
requested review from
assignUser,
kou,
raulcd and
paleolimbot
as code owners
|
@github-actions autotune |
|
|
github-actions
bot
added
Component: R
awaiting committer review
|
Looks like this fix didn't work. It looks like the token still didn't have the correct permissions though. @assignUser - you grok this stuff better than me; would I expect autotune to be using the version in this PR, or the version in main? If it's the former, we need to do something with the |
|
We can't test the Could you test this on your fork? (You can test this by pushing a change to the default branch.) |
|
Thanks for the suggestion @kou! Now got this working on my fork. |
|
The rebase job will also need the new permission to work again :) I would prefer it if there was a more restrictive permission we could use for this but it looks like this is the only one that will work... |
There was a problem hiding this comment.
+1
Could someone (except thisisnic) try this on https://github.com/thisisnic/arrow just in case? (It may work only by the repository owner.)
github-actions
bot
added
awaiting merge
|
Good instinct @kou https://github.com/thisisnic/arrow/actions/runs/6741053064/job/18325048732#step:13:15 Also thinking about this in detail, I think we should either remove the rebase part of the job (or gate it to be only usable by the pr creator and maybe committers. As it is now anyone could do a drive by comment a have the action force push to a branch. The danger is not huge but it feels a bit invasive... 🤷 |
|
But I did find out that there is now a way to rebase the fork branch via gui which is imo a good replacement for the rebase protion of this job: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/keeping-your-pull-request-in-sync-with-the-base-branch |
|
@assignUser Would you mind making a separate issue for the rebase stuff so we don't mix the two up here. As for the write permissions — it's possible that github has now generally restricted that? Reading the docs
Which seems to suggest that we cannot add the write permission unless it's already set org-wide. Or possibly there is a setting we can change in the .asf.yml that would allow this? |
|
@jonkeane well it is closely related, if we don't manage to get the permission working (which is the case based on you findings) there will also not be a way to do the rebase and we can remove both steps in this PR. Good catch with the docs, this is def. something that worked previously but it seems that they removed this possibility with the rework of default permissions this year. The setting mentioned above is something we/INFRA will never enable for security reasons as it would remove the protections that the So the conclusion seems to be that this is not possible anymore in an automated way? Individuals with |
|
If this is a no-go, should I just remove both of these in this PR? They were nice to have, but as a maintainer reviewing PRs I'm happy enough to just pull locally and style or rebase something myself, or tell the contributor to run styler on their PR. |
Rationale for this change
autotune is giving 403 errors as there aren't enough permissions on the default
GITHUB_TOKENWhat changes are included in this PR?
Add required permissions
Are these changes tested?
I've pushed some dodgy formatting to this branch, so am intend to test it here
Are there any user-facing changes?
Nope