Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a requirement for git repo Settings's Workflow Permissions to the document #179

Open
hcg1023 opened this issue May 6, 2022 · 6 comments · May be fixed by #272
Open

Add a requirement for git repo Settings's Workflow Permissions to the document #179

hcg1023 opened this issue May 6, 2022 · 6 comments · May be fixed by #272

Comments

@hcg1023
Copy link

hcg1023 commented May 6, 2022

I felt that adding a request for Workflow Permissions for Git Settings at the beginning of the document would have saved me a lot of trouble. It was my first time using Github Actions and Changesets and the constant error reporting was very annoying, The default permissions are read-only and do not allow the creation and approval of pull requests
image
However, you need to write and create permission to approve pull requests
image

@smiley-uriux
Copy link

Might also be useful to mention the specific permissions needed for those that can't or do not wish to grant full workflow permissions. After some experimentation, the following permissions seemed to work:

jobs:
  release:
    name: Prepare Release
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
      packages: write
      pull-requests: write
      issues: read

@Andarist
Copy link
Member

@hcg1023 so you have encountered a problem there because you were using a custom GitHub token with some missing scopes that are automatically included in the default token?

@smiley-uriux interesting, TIL about jobs.{{job}}.permissions.

I would be very much open for accepting PR that would be adding some kind of Security section to the docs.

@hcg1023
Copy link
Author

hcg1023 commented Jun 5, 2022

@Andarist I'm using secrets.GITHUB_TOKEN, which should not be a custom GITHUB_TOKEN

@Andarist
Copy link
Member

Andarist commented Jun 5, 2022

Ah - I see. I didn't realize that the permissions of this default token could have been changed like this. If you find a good place in the README to add this kind of information I would gladly merge a PR with such an addition

@airtonix
Copy link

Tried this out:

  • have feature PR, lint/text yadda yadda
  • merge feature PR
  • master workflow runs:
name: Release Package

on:
  push:
    branches:
      - master

concurrency: ${{ github.workflow }}-${{ github.ref }}

jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
      packages: write
      pull-requests: write
      issues: read
    steps:
      - uses: actions/checkout@v2
        with:
          fetch-depth: 0

      - run: git fetch --no-tags --prune --depth=5 origin master

      - name: asdf setup
        uses: asdf-vm/actions/[email protected]

      - name: asdf install
        run: |
          set -x
          asdf plugin add nodejs
          asdf install

      #
      # This step configures NPM
      #
      # - here we configure the registry for publishing
      - name: Setup publishing
        uses: actions/setup-node@v2
        with:
          registry-url: "https://npm.pkg.github.com"
      #
      # This step caches installed things
      #
      - name: Cache npm modules
        uses: actions/cache@v2
        env:
          cache-name: cache-npm-modules
        with:
          path: ~/.npm
          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ matrix.node-version }}-${{ hashFiles('**/package-lock.json') }}
          restore-keys: |
            ${{ runner.os }}-build-${{ env.cache-name }}-${{ matrix.node-version }}-

      #
      # Install things sensitive to the lockfile
      #
      - run: npm ci --ignore-scripts

      #
      #
      #
      - name: Create Release Pull Request or Publish to npm
        id: changesets
        uses: changesets/action@21240c3cd1d2efa2672d64e0235a03cf139b83e6
        with:
          # This expects you to have a script called release which does a build for your packages and calls changeset publish
          publish: npm run release
        env:
          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
          # this is the secret sauce for authenticating to our github npm registry
          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NPM_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Deploy 🚀
        uses: JamesIves/[email protected]
        if: steps.changesets.outputs.published == 'true'
        with:
          token: ${{ secrets.GIT_PUSH_TOKEN }}
          branch: gh-pages # The branch the action should deploy to.
          folder: docs # The folder the action should deploy.
  • get Release PR 👍🏻
  • merge Release PR
  • wait until the end of time for new action to run and actually create a github release 💀

@airtonix
Copy link

So the reason it never runs the follow up workflow on master is because changesets makes a commit with a message containing [skip ci]

I've experimented with this a lot yesterday, and as we merge the "Version Packages" pr, i remove the [skip ci] from the message, then the next worflow runs and packages are deployed and a github release is made.

@Andarist we need a way to modify the commit message of the "Version Packages" pr to remove the [skip ci]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants