Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

✨ Use pull_request_target + protected env for e2e #1308

Merged
merged 3 commits into from
Nov 19, 2021

Conversation

azeemshaikh38
Copy link
Contributor

  • Please check if the PR fulfills these requirements
  • What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

  • What is the current behavior? (You can also link to an open issue here)

  • What is the new behavior (if this is a feature change)?

  • Does this PR introduce a breaking change? (What changes might users need to make in their application due to this PR?)

  • Other information:

Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did you try using workflow_run as suggested by someone? Why can we not use it?

.github/workflows/integration.yml Outdated Show resolved Hide resolved
@azeemshaikh38
Copy link
Contributor Author

did you try using workflow_run as suggested by someone? Why can we not use it?

For workflow_run we pass some context from pull_request (or any other non-secret accessing workflow) to the workflow_run job where it will have access to secrets. In our case, this doesn't work because we will most likely need to pass a pre-built binary and use that in workflow_run which is not safe.

@azeemshaikh38
Copy link
Contributor Author

I can't get the integration test workflow to run in this PR. How do we test changes to such workflows?

@azeemshaikh38 azeemshaikh38 marked this pull request as ready for review November 19, 2021 16:22
@laurentsimon
Copy link
Contributor

laurentsimon commented Nov 19, 2021

I can't get the integration test workflow to run in this PR. How do we test changes to such workflows?

the code used by GitHub is the one in the target/base branch, IFAIK. You'll have to merge into main to test it out. Maybe try it on a cloned repo?

@azeemshaikh38
Copy link
Contributor Author

azeemshaikh38 commented Nov 19, 2021

I can't get the integration test workflow to run in this PR. How do we test changes to such workflows?

the code used by GitHub is the one in the target/base branch, IFAIK. You'll have to merge into main to test it out. Maybe try it on a cloned repo?

So I setup my fork to have this change - https://github.com/azeemshaikh38/scorecard/blob/main/.github/workflows/integration.yml. Could you send my fork a PR from your fork to test this?

@laurentsimon
Copy link
Contributor

laurentsimon commented Nov 19, 2021

I can't get the integration test workflow to run in this PR. How do we test changes to such workflows?

the code used by GitHub is the one in the target/base branch, IFAIK. You'll have to merge into main to test it out. Maybe try it on a cloned repo?

So I setup my fork to have this change - https://github.com/azeemshaikh38/scorecard/blob/main/.github/workflows/integration.yml. Could you send my fork a PR from your fork to test this?

you can create PRs to you fork, right? Does it make a difference if I send the PR or you do?
I want to be sure you can iterate on sending more PRs for testing, and not be blocked by me to resend, etc

@azeemshaikh38
Copy link
Contributor Author

you can create PRs to you fork, right? Does it make a difference if I send the PR or you do? I want to be sure you can iterate on sending more PRs for testing, and not be blocked by me to resend, etc

You are right I was able to test it out -
image

I think this PR is good to submit.

Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM overall. I don't think this is the right approach because it affects productivity so much. Every time we submit a PR, we'll have to wait for someone to LGTM to run the integration test.

As an interim solution, it's better than having PR blocked for ever so let's merge in.

I think the right approach is to use workflow_run.

wdut?

.github/workflows/integration.yml Show resolved Hide resolved
@laurentsimon laurentsimon self-requested a review November 19, 2021 19:26
Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see comment about printed message. I don't understand how we know it's been reviewed.

@azeemshaikh38
Copy link
Contributor Author

see comment about printed message. I don't understand how we know it's been reviewed.

See #1308 (comment)

Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Azeem. Let's merge this one in and merge all the blocked PRs. Do you agree that we should move towards workflow_run to avoid affecting productivity? (In a follow-up PR)

@laurentsimon laurentsimon enabled auto-merge (squash) November 19, 2021 23:13
@azeemshaikh38
Copy link
Contributor Author

Thanks Azeem. Let's merge this one in and merge all the blocked PRs. Do you agree that we should move towards workflow_run to avoid affecting productivity? (In a follow-up PR)

No workflow_run will not work for us. At least, AFAICT. We can build the binaries in pull_request and pass it to workflow_run so that it can use the secret token, but then the binary itself will be a security threat.

@azeemshaikh38
Copy link
Contributor Author

This is still stuck :( I'm going to try and force submit it. Hopefully it should fix the issue for the other PRs.

@azeemshaikh38 azeemshaikh38 merged commit 10ee2c0 into main Nov 19, 2021
@azeemshaikh38 azeemshaikh38 deleted the azeems/env-secret branch November 19, 2021 23:48
@laurentsimon
Copy link
Contributor

laurentsimon commented Nov 20, 2021

Thanks Azeem. Let's merge this one in and merge all the blocked PRs. Do you agree that we should move towards workflow_run to avoid affecting productivity? (In a follow-up PR)

No workflow_run will not work for us. At least, AFAICT. We can build the binaries in pull_request and pass it to workflow_run so that it can use the secret token, but then the binary itself will be a security threat.

I see, that makes sense. Let's see if it's usable or not. Otherwise let's move to a model where we run the e2e tests without admin token. My understanding is that the token requires admin for certain check like branch protection: is my understanding correct? If that's the case, maybe we could at least separate the branch protection from the rest, to avoid blocking PR authors.

@naveensrinivasan has allowed/approved many PRs to unblock us, but it was not actually a code review: there was no LGTM. What I'm concerned with is that we're going to approve in a rush to allow the tests to run, without doing a proper review. @naveensrinivasan how is the user experience to approve these test to run?
I'll try to go thru it on my end to test it more.

@naveensrinivasan
Copy link
Member

TBH this is painful!

@cpanato cpanato mentioned this pull request Jul 22, 2022
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants