Verify if the docker images compilation is triggered correctly from robotology

[valegagge]

We want to verify that the automatic compilation works correctly on the Superbuild release event.

We already did this check here #2, but with the last release, we noticed that the trigger didn't work.

Dod
Understand the cause of the missing trigger and fix it if it is possible

[MSECode]

It seems that the problem is related to the TOKEN used when triggering the release remotely from the robotology/robotology-superbuild repo to the icubtech-iit/docker-deployment-images. Probably we are still using the tokens from the older code repo and those token probably do not exist anymore.
So we need to check that and moreover, we have to understand if we have to use the same exact token on all repos that use the repository dispatch trigger to launch the action
Then we have to check if we need to add those same secrets on the new repo

[MSECode]

If you wanna understand how the repository dispatch events works among remote repositories here a clear explanation:
https://blog.marcnuri.com/triggering-github-actions-across-different-repositories

[pattacini]

For dispatching from robotology-superbuild to this repo, the token is grabbed using the App. See https://github.com/robotology/robotology-superbuild/blob/master/.github/workflows/build-docker-images.yml#L17-L23.

This should be fine and already tested in #2, as @valegagge said.

I've noticed that the dispatcher has been upgraded to v2 via robotology/robotology-superbuild#1480. After that, you've been observing problems, if I'm not mistaken. It may be related.

In the meantime, there've been more releases of the dispatcher. Check it out:

• https://github.com/peter-evans/repository-dispatch/releases

Perhaps, they deployed some bug fixes.

cc @MSECode @Nicogene @traversaro

[pattacini]

More simply, the dispatcher for Distro 2023.11.0 failed:

• https://github.com/robotology/robotology-superbuild/actions/runs/6913455880/job/18810298230

[pattacini]

I think the problem is this change to tibdex/github-app-token:

• robotology/robotology-superbuild@7b8191c

According to the documentation, v2 introduces breaking changes:

• https://github.com/tibdex/github-app-token/releases/tag/v2.0.0

I will propose a PR to fix this.

[pattacini]

I will propose a PR to fix this.

• Update build-docker-images.yml robotology/robotology-superbuild#1562

cc @traversaro @valegagge @MSECode @Nicogene

[MSECode]

Yep @pattacini,
me and @valegagge are experiencing problem in the triggering of the automatic launch of the release_trigger repository_dispatch job since a couple of superbuild releases ago. I think since the 2023.8.0 or 2023.10, which has been launched manually on the repository docker-deployment-images
As you say, version v2 may be the problem.
Another thing is that I did not understand if the secret we are using, i.e. secrets.ICUB_TECH_IIT_APP_KEY must be present with the same name and value in all the repos we are using. I mean that, considering that the robotology-superbuild grabs the token using the app, do I have also to add that specific secret-value pair in the repo docker-deployment-images other than in icubtech-iit/code and in all the repos that needs that specific release_trigger (I've not a wide knowledge on these workflows, but probably @pattacini, you can explain that to me ).
Because currently in docker-deployment-images we are using the token as in here:

• https://github.com/icub-tech-iit/docker-deployment-images/blob/df8eaf7934ceb36a0b492665daa26d40195324e6/.github/workflows/release.yml#L59C11-L59C23

• docker-deployment-images/.github/workflows/release.yml

  Lines 78 to 86 in df8eaf7

  	- name: Repository Dispatch for building images
  	uses: peter-evans/repository-dispatch@v2
  	env:
  	GITHUB_APPS_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
  	with:
  	token: ${{ secrets.GITHUB_TOKEN }}
  	repository: ${{ env.REPOSITORY_NAME }}
  	event-type: repository_trigger
  	client-payload: '{"version": "${{ steps.get_version.outputs.version }}", "type": "repository_trigger", "img_list": "superbuild superbuild-tensorflow-cpu superbuild-tensorflow-gpu superbuild-icubhead superbuild-icubhead-withuser superbuild-nvidia superbuild-nvidia-10.1 superbuild-gazebo blender gazebo superbuild-ros2"}'

[pattacini]

do I have also to add that specific secret-value pair in the repo docker-deployment-images other than in icubtech-iit/code and in all the repos that needs that specific release_trigger

The App is capable of generating tokens when required. In this particular workflow, the token needs to be available with the appropriate permissions only at the origin of the request, that is robotology-superbuild.

Also, adding/removing tokens is a very sensitive operation, thus only admins can/shall do that.

GITHUB_TOKEN is a special token that is scoped with the repository where it is generated, hence it is limited. Further, for new repositories, GitHub will grant GITHUB_TOKEN only read permissions by default.

[MSECode]

repository

Understood, thanks a lot for the explanation

[valegagge]

Hi @pattacini ,
we noticed that in the workflow build-docker-images.ym of robotology-superbuyild the get_token step uses secrets that I can't find in the Code repo. Please see here. Are they secrets of the icub-tech organization?

[pattacini]

Those are secrets defined within the robotology org and serve to ask the App to generate tokens as per #24 (comment).

[valegagge]

Now with this PR #30, all should be fine.
Closing