From ee995b2af2e95b895ba57a7d30790152fb47739a Mon Sep 17 00:00:00 2001 From: Alex Waygood Date: Tue, 4 Oct 2022 13:26:51 -0700 Subject: [PATCH 1/2] stubsabot: use an ssh-key when checking out typeshed Fixes #8434. This uses a new ssh key that @JelleZijlstra just set up for our repo ([this option](https://github.com/peter-evans/create-pull-request/blob/main/docs/concepts-guidelines.md#push-using-ssh-deploy-keys) in Peter Evans's guide to getting checks to run on automated PRs. It seems to be a good option in terms of both security and usability. It's also the option used by `oddbird/MetaDeploy` [here](https://github.com/oddbird/MetaDeploy/blob/main/.github/workflows/upgrade-deps.yml#L20), and they seem pretty happy about it (they wrote a nice blog post about their automated PRs for uprading dependencies [here](https://www.oddbird.net/2022/06/01/dependabot-single-pull-request/).) --- .github/workflows/stubsabot.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/stubsabot.yml b/.github/workflows/stubsabot.yml index d43cbef53d2e..7fead8df389e 100644 --- a/.github/workflows/stubsabot.yml +++ b/.github/workflows/stubsabot.yml @@ -17,6 +17,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 + with: + ssh-key: ${{ secrets.STUBSABOT_SSH_PRIVATE_KEY }} - uses: actions/setup-python@v4 with: python-version: "3.10" From 8c3e3c0c61d6ed17a3e8b418a3f73aafc25cbc87 Mon Sep 17 00:00:00 2001 From: Alex Waygood Date: Tue, 4 Oct 2022 13:28:17 -0700 Subject: [PATCH 2/2] Add comment --- .github/workflows/stubsabot.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/stubsabot.yml b/.github/workflows/stubsabot.yml index 7fead8df389e..657d58de8385 100644 --- a/.github/workflows/stubsabot.yml +++ b/.github/workflows/stubsabot.yml @@ -18,6 +18,7 @@ jobs: steps: - uses: actions/checkout@v3 with: + # use an ssh key so that checks automatically run on stubsabot PRs ssh-key: ${{ secrets.STUBSABOT_SSH_PRIVATE_KEY }} - uses: actions/setup-python@v4 with: