Fix release workflow to trigger changelog workflow #40654
Conversation
| - name: Create release | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GITHUB_PAT: ${{ secrets.RELEASE_CREATION_TOKEN }} |
There was a problem hiding this comment.
How is the PAT created (eg is it's Volkers)? Will it expire?
There was a problem hiding this comment.
It is mine. No expiration.
There was a problem hiding this comment.
Okay. If I understand it correctly, then the releases would be then associated to your account. I don't have a very strong opinion about this, but prefer how it's currently says "github-actions" as the creator - makes it very clear that the release was automatically created.
There was a problem hiding this comment.
actually if you mean the committer in https://github.com/sagemath/website/commits/master/ , it's set in the workflow rather than by the owner of the token. So this change wouldn't affect the committer.
There was a problem hiding this comment.
With these changes the releases created in https://github.com/sagemath/sage/releases will appear as if they were created manually by @kwankyu.
I still don't get why it's not better to simple put the script that triggers the website update here in the dist workflow.
There was a problem hiding this comment.
actually, maybe you're right. I don't think it's an issue though.
There was a problem hiding this comment.
With these changes the releases created in https://github.com/sagemath/sage/releases will appear as if they were created manually by @kwankyu.
@vbraun You may set your own PAT (Personal Access Token) to the "RELEASE_CREATION_TOKEN" secret, any time before the next stable release.
(but if we ever worry a leak of PAT, then putting my PAT is less destructive than one of the repo owners.)
I still don't get why it's not better to simple put the script that triggers the website update here in the
distworkflow.
Perhaps we may need some time delay between "releasing" and "creating changelogs". And triggering the website update seems to be out of concern of the "dist" workflow.
But I have no strong opinion. You may experiment your idea after we check that the change of the present PR works well on the next release.
There was a problem hiding this comment.
(but if we ever worry a leak of PAT, then putting my PAT is less destructive than one of the repo owners.)
Just to check, do you actually have the rights to create a new release? (I.e. can you do this manually?)
There was a problem hiding this comment.
Yes. I have "admin" role.
|
Documentation preview for this PR (built with commit a1f1b1f; changes) is ready! 🎉 |
For now, this fix is easiest. The priority is to have working code. We will see at the next stable release. |
|
weird bug, but understandable. I've never looked at this workflow though. note that there's some risk of secret leak from malicious workflow or something. I hope if it is leaked there isn't any particularly bad consequences? (i.e. the access token is created with restricted privileges?) Also from the linked issue,
why does it make a difference when you test it on your repository? (because when you test it on your repository you use a personal access token generated by you, so happens to bypass the issue, I guess?) @vbraun any other comment? |
|
okay, looks fine. Worst that can happen is
|
I guess that if it was leaked to a bad guy, it would have bad consequences. But in the present particular case, I don't see any reason to worry of a leak.
It is created with "repo scope".
Yes, I guess so too. Thanks for the review! |
4 participants
Fixes #39024 (comment). For why, see #39024 (comment)
To see if this works well, after merged, we can just watch
https://github.com/sagemath/website/actions/workflows/generate_changelog.yml
after the next stable release.
📝 Checklist
⌛ Dependencies