ci: CPLYTM-821 - run release-please with an installation token #577
Conversation
marcusburghardt
changed the title
marcusburghardt
force-pushed
the
release_pr_tests
branch
from
b4a0c70 to
930a319
Compare
|
I need to better check how to address the kics alert. Moving to draft until I can continue working on it. |
marcusburghardt
force-pushed
the
release_pr_tests
branch
from
930a319 to
8492720
Compare
jpower432
left a comment
jpower432
left a comment
There was a problem hiding this comment.
Added one comment for possible simplification.
huiwangredhat
left a comment
huiwangredhat
left a comment
There was a problem hiding this comment.
@marcusburghardt Great! After the review, I learned how to easily obtain a GitHub app token and also how to skip the bash script in favor of a python script.
release-please creates a PR bumping versions and drafting a changelog. By default the PR is owned by github-actions and therefore CI tests from other workflows are not executed to prevent loop. This commit makes release-please to use a GH App token. Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
Replaced the python code by actions/create-github-app-token to achieve the same outcome in a much simpler way. This action already ensures the token is masked and expiration is tied to the job. Explicit permissions are redundant, but it is intentional to make them explicit. Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
marcusburghardt
force-pushed
the
release_pr_tests
branch
from
e95e6c5 to
0e71174
Compare
|
Rebased |
Nice @huiwangredhat , thanks to @jpower432 I also learned about the create-github-app-token and implemented in the last commit. Things got much simpler. :) |
jpower432
left a comment
jpower432
left a comment
There was a problem hiding this comment.
Nice work @marcusburghardt! Just left one comment regarding the permission of the default token.
jpower432
left a comment
jpower432
left a comment
There was a problem hiding this comment.
LGTM. The failing e2e job seems unrelated.
marcusburghardt
force-pushed
the
release_pr_tests
branch
from
1fd2b6b to
98bea2e
Compare
These permissions were defined for GITHUB_TOKEN and are no longer necessary since release-please is now using an installation token. Signed-off-by: Marcus Burghardt <maburgha@redhat.com>
marcusburghardt
force-pushed
the
release_pr_tests
branch
from
98bea2e to
b2df986
Compare
|
For transparency, there are two force-pushes after the reviews. I first tried something to isolate the issue with CI tests then I reverted it to the state it was approved. |
3 participants
Summary
release-pleasecreates a PR bumping versions and drafting a changelog.By default the PR is owned by github-actions and therefore CI tests from other workflows are not executed to prevent loop. This PR makes release-please to use a GH App token.
Related Issues
CI tests are not executed when a PR is owned by
github-actions[bot]This repository has required tests triggered by other workflows. Since these tests are not executed, the PR cannot be merged, ultimately impacting the release process.
Review Hints
Here is the relevant documentation about "Triggering a workflow from a workflow":
It is also mentioned in the release-please documentation:
This simpler option would be to create a PAT but this does not scale well, so a Github App using a limited INSTALLATION TOKEN should work better.
The workflow was created based on official documentation and inspired by the work from @huiwangredhat in complytime/cac-content#26