How to avoid leaking secrets: only way to do that is via pre-verified code that executes something with that secret. Otherwise, there’s literally infinite ways to leak it being a Turing machine and all. This applies to all CICD tools.
On Tue, Aug 27, 2019 at 20:32, Greg Stein <gst...@gmail.com> wrote: > Hi Francis, > > Is the token needed to push from calcite to calcite-site? Is that an oauth > token or something? And are you able to use the repository settings to add > secrets, but you don't have the right token? Or you cannot add secrets at > all? (I can't tell since I have superpowers) > > I've added GSTEIN_TEST_SECRET to Calcite. See if you can extract/print that > into your build/action log. If so, then we can try to figure out the > security here (ie. how do we avoid Actions exfiltrating the token?) > > Thanks, > -g > > On Tue, Aug 27, 2019 at 5:19 AM Francis Chuang <francischu...@apache.org> > wrote: > > > I have implemented the ability to generate the website and javadoc for > > Calcite using Github Actions. See: > > https://github.com/apache/calcite/tree/test-site/.github/workflows > > > > The missing piece is that we need the token to publish to our > > calcite-site repository to be added as a secret in Github Actions and > > there is currently no clear process as to whether this is allowed or how > > to get this done. > > > > See: > > https://issues.apache.org/jira/browse/INFRA-18874 > > https://issues.apache.org/jira/browse/INFRA-18875 > > > > Francis > > > > On 27/08/2019 7:52 pm, Greg Stein wrote: > > > Have you had an opportunity to make progress on this, to share with us? > > > > > > Anybody else with news? > > > > > > Thanks! > > > -g > > > InfraAdmin, ASF > > > > > > > > > On Tue, Aug 13, 2019 at 3:59 PM Karl Heinz Marbaise <khmarba...@gmx.de > > > > > wrote: > > > > > >> Hi, > > >> > > >> I've made a simple PoC for the Apache Maven Dependency Plugin on a > > >> separate branch. > > >> > > >> I will try within the next days more features for example Mac OS > builds > > >> etc. > > >> > > >> > > >> Currently I simply push my changes via gitbox .. > > >> > > >> maven-dependency-plugin (GITHUB_ACTIONS)$ git remote -v > > >> origin > https://gitbox.apache.org/repos/asf/maven-dependency-plugin.git > > >> (fetch) > > >> origin > https://gitbox.apache.org/repos/asf/maven-dependency-plugin.git > > >> (push) > > >> > > >> > > >> Also I'm interested to use SonarCloud related with GitHub Actions..? > > >> > > >> > > >> Kind regards > > >> Karl Heinz Marbaise > > >> Apache Maven PMC > > >> > > >> [1]: https://github.com/apache/maven-dependency-plugin/runs/192633340 > > >> [2]: > > >> > > >> > > > https://github.com/apache/maven-dependency-plugin/blob/66435b225e7885f44b25207e025469f6d5237107/.github/workflows/maven.yml > > >> > > >> On 12.08.19 00:31, Greg Stein wrote: > > >>> On Sun, Aug 11, 2019 at 5:15 PM Francis Chuang < > > francischu...@apache.org > > >>> > > >>> wrote: > > >>>> ... > > >>> > > >>>> I think there are quite a few ASF projects using gitbox and Github > and > > >>>> this would be a very good complement or replacement for Travis, > > appvoyer > > >>>> and other CI/CD platforms currently in use. > > >>>> > > >>>> Is there any interest from the ASF to enable this for all Gitbox > > >>>> projects when it becomes fully public? > > >>>> > > >>> > > >>> Absolutely. The Infrastructure team would love to see groups try this > > >> out, > > >>> and share the experiences here. > > >>> > > >>> If there are any hurdles, then share them and we'll try to knock them > > >> down. > > >>> > > >>> I am also interested in being able to push to our website > automatically > > >>>> using Github Actions. If the git token that can push to a particular > > >>>> website repository is added as a secret [2] to Github Actions, this > > >>>> would be pretty easy to use for projects to automate the building of > > >>>> their websites. > > >>>> > > >>> > > >>> Should be possible. Again, comes back to groups trying this and > > reporting > > >>> back how well it went. > > >>> > > >>> Cheers, > > >>> Greg Stein > > >>> Infrastructure Administrator, ASF > > >>> > > >> > > > > > > -- Matt Sicker <boa...@gmail.com>
