Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding external runner for doing a one-time full-sync #604

Merged
merged 2 commits into from
Dec 2, 2024

Conversation

dolan-a
Copy link
Contributor

@dolan-a dolan-a commented Feb 28, 2024

Summary:

This is a potential way of addressing #378 and #379.

As noted on #378, I'm using this along with the following for triggering safe-settings via GHA:

name: Safe Settings Sync
on:
  schedule:
    # daily run:
    - cron:  '0 0 * * *'
  workflow_dispatch: {}

jobs:
  safeSettingsSync:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          repository: pydolan/safe-settings
          ref: gha-runner
      - uses: actions/setup-node@v4
      - run: npm install
      - run: npm run full-sync
        env:
          GH_ORG: my-org
          APP_ID: my-app-id
          PRIVATE_KEY: ${{ secrets.SAFE_SETTINGS_PRIVATE_KEY }}
          GITHUB_CLIENT_ID: ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_ID }}
          GITHUB_CLIENT_SECRET: ${{ secrets.SAFE_SETTINGS_GITHUB_CLIENT_SECRET }}

Additional comments:

  • My Commit history is a mess, so if you weren't going to do a Squash Merge of this PR, I will clean this up.
  • If there's a more javascript-y way of calling syncInstallation using index.js/package.json, I'm happy to change this.
  • Regarding Probot's GHA Adapter -- I initially used this in my separate script (similar to what handler.js does with the Serverless adapter), but this adapter uses the Action's GITHUB_TOKEN, which is limited to the current repo, so it offers no benefit that I can see.
  • Regarding my use of actions/checkout -- I would prefer to run safe-settings as an action using the Dockerfile, but GHA targets a different WORKDIR when doing so. There's an allow overriding workdir for container jobs actions/runner#878 about allowing workdir overrides with GHA.
  • [As noted in comments] I realized that my initial version of full-sync did not return a non-zero exit code when errors occurred, so I updated it to check settings.errors. I didn't see a way to check the errors from my syncInstallation call, so I modified Settings.syncAll to return its settings object. If someone has a cleaner option for this error checking, please let me know.

@dolan-a
Copy link
Contributor Author

dolan-a commented Mar 6, 2024

I realized that my initial version of full-sync did not return a non-zero exit code when errors occurred, so I updated it to check settings.errors. I didn't see a way to check the errors from my syncInstallation call, so I modified Settings.syncAll to return its settings object.

If someone has a cleaner option for this error checking, please let me know

@decyjphr
Copy link
Collaborator

decyjphr commented Mar 8, 2024

We could look into using checks to communicate errors back to the Actions workflow.

@dolan-a
Copy link
Contributor Author

dolan-a commented Mar 9, 2024

Yea, tying into Checks would make things cleaner. I'm not familiar with the feature or code in detail, so if anyone has tips/suggestions, let me know.

The other question I had was if the probot gha adapter would help with error collecting, but it doesn't look like the Settings class is sending probot error info, so maybe it wouldn't help

Copy link
Collaborator

@decyjphr decyjphr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pydolan I think this is a cool addition. Would you be able to add information about this in the README?

@dolan-a
Copy link
Contributor Author

dolan-a commented Jul 24, 2024

@decyjphr - this is still on my radar; will try to get to it soon!

@willejs
Copy link

willejs commented Oct 15, 2024

@decyjphr @decyjphr it would be great to see this merged in! ❤️

@dolan-antenucci-imprivata

@decyjphr and others – thanks for your patience on me getting back to this. I rebased my branch and updated the documentation with details on running safe-settings with GHA.

@dolan-a dolan-a requested a review from decyjphr November 4, 2024 18:47
@decyjphr decyjphr merged commit 1c752e0 into github:main-enterprise Dec 2, 2024
@paddyroddy
Copy link

@dolan-a thanks for sorting this! I'm deploying safe-settings via the GHA. I had a play with sample deployment settings and wasn't sure if the configvalidators/overridevalidators sections were actually working. I noticed this bit in the README.md. To enable the runtime settings, must one deploy, e.g. the helm chart?

Runtime Settings

  1. Currently the only setting that is possible are restrictedRepos: [... ] which allows you to configure a list of repos within your org that are excluded from the settings. If the deployment-settings.yml is not present, the following repos are added by default to the restrictedrepos list: 'admin', '.github', 'safe-settings'

@dolan-a
Copy link
Contributor Author

dolan-a commented Dec 19, 2024

I'm using a custom runtime settings file in my GHA setup to exclude repos. I would guess that the validators are working from my file (I left the default ones in there from the example file), but I forget if I tested them.

To use this, as I show in [https://github.com/github/safe-settings/blob/main-enterprise/docs/github-action.md](this example GHA setup), I have a var for indicating where that setting file is:

DEPLOYMENT_CONFIG_FILE: ${{ github.workspace }}/safe-settings/deployment-settings.yml

This does not require the helm deployment since the entire safe-settings code is pulled down to the GHa runner, and they code is what uses the deployment settings env var. Hope that helps!

@paddyroddy
Copy link

Thanks @dolan-a! I also had the default ones, I tried changing a collaborator to admin and it didn't seem to do anything (including manually running the action), which is what made me wonder if it's working. I, too, am using the restrictedRepos which is working well.

@decyjphr
Copy link
Collaborator

@paddyroddy I created this issue to check if you use case still works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants