CmampTask7965_Fix_the_triggering_of_the_release_Docker_images_workflow#1096
CmampTask7965_Fix_the_triggering_of_the_release_Docker_images_workflow#1096
Conversation
| on: | ||
| # Trigger on a merged PR, with restrictions applied at the job level. | ||
| pull_request: | ||
| types: [closed] |
There was a problem hiding this comment.
Isn't this CI pipeline going to appear in all the closed PR?
There was a problem hiding this comment.
Yes, but there’s an if condition here:
helpers/.github/workflows/dev_image_release.yml
Lines 21 to 25 in 806d920
So, the workflow will be triggered, but the job itself won’t run unless the condition is met.
There was a problem hiding this comment.
I think let's not have it triggered and shown for non relevant PRs
There was a problem hiding this comment.
I can't find a way to prevent the GitHub workflow from triggering when we merge a PR with the Automated build label.
The only solution I’ve found is to trigger on any merged or closed PR and then filter them out at the job level.
Another possible approach could be:
- Keep this GitHub workflow as a manual run
- Add an extra manual step in our pipeline to execute this workflow
There was a problem hiding this comment.
How about triggered it on merged to master when the changelog.txt is changed?
We can do path filtering
| - name: Login to GHCR | ||
| run: | | ||
| echo "${{ secrets.GH_ACTION_ACCESS_TOKEN || secrets.GITHUB_TOKEN }}" \ | ||
| echo "${{ secrets.GITHUB_TOKEN }}" \ | ||
| | docker login ghcr.io -u ${{ github.actor }} --password-stdin |
There was a problem hiding this comment.
Also could we see how the PR would like when it's filed by the GH app as well?
There was a problem hiding this comment.
Good catch!
I tried to make and test another PR: #1099 and found:
- need to update to the actual team name for release. Done in the test PR
- found that the auto generated
GITHUB_TOKENcan't access to the org. team members API:
However, the GITHUB_TOKEN can only access resources within the workflow's repository. If you need to access additional resources, such as resources in an organization or in another repository, you can use a GitHub App.
- decided to use the GitHub App token
- found the only place where we are using the GitHub App in the
csfyrepo:.github/workflows/sprint_iteration.yml:82~89 - tried to do the same but found that the certain variables didn't setup in the
helpersrepo: https://github.com/causify-ai/helpers/actions/runs/19305853465/job/55213024206?pr=1099
The question is: who is able to set up these variables and secrets in the helpers repo?
There was a problem hiding this comment.
which variables need to be set?
There was a problem hiding this comment.
- .github/workflows/sprint_iteration.yml
- name: Generate GitHub App token
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ vars.GH_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
We need to set:
- variable:
GH_APP_ID - secret:
GH_APP_PRIVATE_KEY
There was a problem hiding this comment.
I see they are already set as ORG level secrets/vars so they should already be accessible by //helpers right?
There was a problem hiding this comment.
You could also try to test it on //csfy too
There was a problem hiding this comment.
I see they are already set as ORG level secrets/vars so they should already be accessible by //helpers right?
I tried to debug in in the ssh-session inside the GitHub workflow run, but they are empty:
the ssh-session step to see the variable and the secret:
helpers/.github/workflows/common_dev_image_build.yml
Lines 31 to 36 in 23192e7
- checked inside the ssh-session:
runner@runnervmw9dnm:~/work/helpers/helpers$ env | grep app
app-id=
runner@runnervmw9dnm:~/work/helpers/helpers$ env | grep private
private-key=
runner@runnervmw9dnm:~/work/helpers/helpers$
Probably need to set permission for these variable and secret on the repo level also.
https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets?utm_source=chatgpt.com#reviewing-access-to-organization-level-secrets
@heanhsok
Can you pls check it.
There was a problem hiding this comment.
They should be there now. I don't have perm to check that but I could replicate them in //helpers.
Cloud you try again?
2 participants
#7965
GITHUB_TOKENonly