ci: add token for cron-update-rust.yml #1580
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -10,6 +10,16 @@ jobs: | |
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: dtolnay/rust-toolchain@stable | ||
| - uses: tibdex/github-app-token@v1 | ||
| id: generate-token | ||
| with: | ||
| app_id: ${{ secrets.APP_ID }} | ||
| private_key: ${{ secrets.APP_PRIVATE_KEY }} | ||
| - uses: crazy-max/ghaction-import-gpg@v5 | ||
| with: | ||
| gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | ||
| git_user_signingkey: true | ||
| git_commit_gpgsign: true | ||
|
Comment on lines
+18
to
+22
Collaborator
There was a problem hiding this comment. I'm unsure how this action impact security-wise, but it doesn't seem very used/maintained :think:. We can always sign off the commits if we opt to not use this action.
Member
Author
There was a problem hiding this comment. It looks like the rust-bitcoin repo doesn't enforce that the commits be signed. With our current repo rules we can't merge unsigned commits. https://github.com/rust-bitcoin/rust-bitcoin/pull/3267/commits So we'd need to take off this protection, or figure out a way to get the github action to create a properly signed commit.
Collaborator
There was a problem hiding this comment. This looks like it will work, but I want to make sure we've considered the alternatives and that these new actions won't be a hassle to maintain for someone like @notmandatory Options:
Member
Author
There was a problem hiding this comment. I'm OK with these automations since they will prevent us from getting unexpected breaks when I think the github app credentials for PR creation as I have it now are a fine way to go. If the GPG plugin I added doesn't work then we could just let the action create the PR and who ever merges it will need to first rebase-resign the commit manually. It shouldn't happen too often so I'm not worried about the extra step.
Member
Author
There was a problem hiding this comment. BTW I think I can test this in my personal repo, will post here to confirm if it works as expected. Also I'm not so worried about the plugin versions being pinned since this can only create PRs it can't commit them.
Member
Author
There was a problem hiding this comment. I tested on my local repo and it works, see: https://github.com/notmandatory/bdk/pull/9/commits I had to create a new GPG key for the action, add the corresponding GPG pubkey to my account, and finally verify the email for this GPG key with my account. But after all that github created the PR, automatically runs the CI, and is able to verify the commit so the PR can be merged. 🎉
Collaborator
There was a problem hiding this comment.
Do you happen to know why the ci ran 41 checks on that PR?
Collaborator
There was a problem hiding this comment. I guess it's because it ran on pull_request and push dispatches 🤔 |
||
| - name: Update rust-version to use latest stable | ||
| run: | | ||
| set -x | ||
|
|
@@ -30,9 +40,9 @@ jobs: | |
| if: env.changes_made == 'true' | ||
| uses: peter-evans/create-pull-request@v6 | ||
| with: | ||
| token: ${{ steps.generate-token.outputs.token }} | ||
| author: Github Action <github@bitcoindevkit.org> | ||
| committer: Github Action <github@bitcoindevkit.org> | ||
| branch: create-pull-request/update-rust-version | ||
| title: | | ||
| ci: automated update to rustc ${{ env.rust_version }} | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need this new GH Action ?
Although it's suggested in the
peter-evans/create-pull-request, can't we just follow the same approach as rust-bitcoin (here) and use a new token ?