[LTP] [PATCH v2 1/1] ci: Add hook to mirror docparse to homepage
Petr Vorel
pvorel@suse.cz
Tue Dec 13 20:18:38 CET 2022
Hi Richie,
first, thank you for your review!
> Hello,
> Petr Vorel <pvorel@suse.cz> writes:
> > GitHub Actions git push hook generates metadata HTML and push it
> > to LTP homepage.
> > Hook pushes only if there are actual changes in generated doc.
> IIUC we have to do most of the work to generate the meta data, but then
> don't push it if there is no diff?
> What are we saving with this optimisation?
This saves number of commits which will change nothing.
Because the page itself has also other changes for the web page itself,
which will be buried with these changes.
But sure, I'll remove this check, if considered useless.
If your comment is about to do the detection earlier,
I'd have to do some smart 'git diff'. Could be done with:
git diff $old_commit testcases/ | grep '^+ \* '
in step "Check metadata need to be updated"
(i.e. after both checkouts).
> > NOTE: this change requires to add:
> > 1) Personal Access Token (PAT) to any developer which has write access
> > to homepage git repository [3]. In Developer settings -> Personal access
> > tokens -> Tokens (classic) [4]), where set:
> > Note: GH_PERSONAL_ACCESS_TOKEN
> > Select scopes: public_repo (minimal permission)
> > Expiration: either never or regularly renew.
> > 2) Allow PAT in LTP organisation (I dared to already set it)
> > Iin linux-test-project group -> Settings -> Third-party Access -> Personal
> > access tokens -> Settings [5]
> > select:
> > Allow access via personal access tokens (classic)
> > API and Git access will be allowed using an organization member's personal access token (classic)
> > 3) Add repository action secret to ltp repository
> > IN Settings -> Actions -> New repository secret [6]:
> > name: GH_PERSONAL_ACCESS_TOKEN
> > value: the value of previously created token.
> > Because using token, default permission is just read.
> This seems like a very convoluted process. Can't we just put the
> metadata generation in the docs build and upload the assets as usual?
> I've never had to use a PAT to deploy a github page.
Do you mean to have this Action in linux-test-project.github.com git repo?
What would trigger the build? Some kind of cron behavior?
Using PAT is a weak point thus I'm really open to other solutions.
...
> > +++ b/.github/workflows/metadata-mirror.yml
...
> > + steps:
> > + - name: Check secret
> > + env:
> > + GH_PERSONAL_ACCESS_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
> > + run: |
> > + if [ -z "$GH_PERSONAL_ACCESS_TOKEN" ]; then
> > + echo "::error::GH_PERSONAL_ACCESS_TOKEN environment variable is not set"
> > + exit 1
> > + fi
> Do we not trust Github to set an env variable?
If I delete my PAT, this will catch it. Of course error message could be
improved.
...
> > + - name: Push generated html metadata to LTP homepage
> > + env:
> > + GH_PERSONAL_ACCESS_TOKEN: ${{
> > secrets.GH_PERSONAL_ACCESS_TOKEN }}
> Why put a credential in an env variable anyway? Can we not simply write
> ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} below?
I can test if it's supported inside "run:", but github hides env content,
thus no big deal to use env. See:
https://github.com/foo-pevik/ltp_foo/actions/runs/3660784474
GH_PERSONAL_ACCESS_TOKEN: ***
https://github.com/foo-pevik/ltp_foo/actions/runs/3660784474/jobs/6188315802
GH_PERSONAL_ACCESS_TOKEN: ***
(Hidden on all places.)
> > + run: |
...
> > + printf "metadata.nightly.html: Update to $commit\n\nUpdate metadata.nightly.html to $commit_desc\n" > /tmp/msg
> > + git commit -F /tmp/msg .
> > +
> > + echo "::notice::GH_PERSONAL_ACCESS_TOKEN: $GH_PERSONAL_ACCESS_TOKEN"
> Won't this print your PAT for the world to use?
No (described above, see the links of actual run).
> > + git push
> > https://${GH_PERSONAL_ACCESS_TOKEN}@github.com/linux-test-project/linux-test-project.github.com.git
Kind regards,
Petr
More information about the ltp
mailing list