[LTP] [PATCH v2 1/1] ci: Add hook to mirror docparse to homepage

Thu Mar 23 08:30:46 CET 2023

Hi Richie, Cyril,

> Hello,

> Petr Vorel <pvorel@suse.cz> writes:

> > Hi Richie,

> > first, thank you for your review!

> >> Hello,

> >> Petr Vorel <pvorel@suse.cz> writes:

> >> > GitHub Actions git push hook generates metadata HTML and push it
> >> > to LTP homepage.

> >> > Hook pushes only if there are actual changes in generated doc.

> >> IIUC we have to do most of the work to generate the meta data, but then
> >> don't push it if there is no diff?

> >> What are we saving with this optimisation?

> > This saves number of commits which will change nothing.
> > Because the page itself has also other changes for the web page itself,
> > which will be buried with these changes.
> > But sure, I'll remove this check, if considered useless.

> I think the root of the problem is that we are publishing to a branch
> which makes sense if we write the HTML by hand.

> However we are generating it from multiples sources. So this doesn't
> work well with Git.

> Why not use the upload assets method?:

> https://docs.github.com/en/pages/getting-started-with-github-pages/configuring-a-publishing-source-for-your-github-pages-site#creating-a-custom-github-actions-workflow-to-publish-your-site

Thanks for a hint, actions/checkout [1] looks useful.

@Cyril We currently have github pages uploaded within separate repository [2],
we'd need to convert it to Publishing with a custom GitHub Actions workflow [3].
That would include to migrate the necessary content (index.html and assets
directory) to ltp repository (put into new web directory) and create new GitHub
Actions workflow (examples [4] [5]).

This would help that 1) we'd not need Personal Access Token (everything is in
single repository) 2) only a real sources would be stored in git, not generated
files. It's not a high priority for me, but I'm willing to implement everything,
if I got ack from you.

> > If your comment is about to do the detection earlier,
> > I'd have to do some smart 'git diff'. Could be done with:
> > git diff $old_commit testcases/ | grep '^+ \* '
> > in step "Check metadata need to be updated"
> > (i.e. after both checkouts).

> >> > NOTE: this change requires to add:

> >> > 1) Personal Access Token (PAT) to any developer which has write access
> >> > to homepage git repository [3]. In Developer settings -> Personal access
> >> > tokens -> Tokens (classic) [4]), where set:
> >> > Note: GH_PERSONAL_ACCESS_TOKEN
> >> > Select scopes: public_repo (minimal permission)
> >> > Expiration: either never or regularly renew.

> >> > 2) Allow PAT in LTP organisation (I dared to already set it)
> >> > Iin linux-test-project group -> Settings -> Third-party Access -> Personal
> >> > access tokens -> Settings [5]
> >> > select:
> >> > Allow access via personal access tokens (classic)
> >> > API and Git access will be allowed using an organization member's personal access token (classic)

> >> > 3) Add repository action secret to ltp repository
> >> > IN Settings -> Actions -> New repository secret [6]:
> >> > name: GH_PERSONAL_ACCESS_TOKEN
> >> > value: the value of previously created token.

> >> > Because using token, default permission is just read.

> >> This seems like a very convoluted process. Can't we just put the
> >> metadata generation in the docs build and upload the assets as usual?
> >> I've never had to use a PAT to deploy a github page.

> > Do you mean to have this Action in linux-test-project.github.com git repo?
> > What would trigger the build? Some kind of cron behavior?
> > Using PAT is a weak point thus I'm really open to other solutions.

> I guess a github action can be triggered by multiple sources, including
> other actions and the assets from one action should be available in the
> next.

> I'm more familiar with GitLab, but this is basic build pipeline stuff,
> so GitHub should support it.

FYI I find hint to use workflow_dispatch [6], but doc states [7] that for
triggering a workflow from a workflow (our case) secrets.GITHUB_TOKEN (IMHO
within repository) cannot be used. Instead, personal access token must be set
(in one of the developers account), store it in your repo or orgs secrets and
reference that instead. i.e. the same approach I already implemented.  Maybe
this reversed approach would be cleaner, but as they both require PATH, from the
security point they are the same.

=> Using actions/checkout is better solution for us anyway. But it's good to
know, that any actions between repos requires Personal access token (fortunately
we will never need to some triggering between subprojects). I'm not sure gitlab
would be easier on this, but we're not going to migrate to gitlab anyway.

Kind regards,
Petr

[1] https://github.com/actions/upload-pages-artifact
[2] https://github.com/linux-test-project/linux-test-project.github.com
[3] https://docs.github.com/en/pages/getting-started-with-github-pages/configuring-a-publishing-source-for-your-github-pages-site#publishing-with-a-custom-github-actions-workflow
[4] https://github.com/jendrikseipp/rednotebook/blob/master/.github/workflows/web.yml
[5] https://github.com/conda/conda-package-streaming/blob/main/.github/workflows/sphinx.yml
[6] https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#workflow_dispatch
[7] https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow