I think the pre-verified code could run on a separate system with restricted access. That's how self-service works for creating mailing lists, for example.
In this case, there would need to be a separate host with read access to Jenkins. It could accept publish requests from Jenkins, and route them accordingly. This would require a bit of effort to set up, but could be used for multiple projects. On Wed, 28 Aug 2019 at 03:26, Greg Stein <gst...@gmail.com> wrote: > > Yeah. FIgured as much, hoped that I was missing something :) > > (note: we have the same issue with buildbot and jenkins: we simply trust > the communities to not exfil that data) > > On Tue, Aug 27, 2019 at 9:16 PM Matt Sicker <boa...@gmail.com> wrote: > > > How to avoid leaking secrets: only way to do that is via pre-verified code > > that executes something with that secret. Otherwise, there’s literally > > infinite ways to leak it being a Turing machine and all. This applies to > > all CICD tools. > > > > On Tue, Aug 27, 2019 at 20:32, Greg Stein <gst...@gmail.com> wrote: > > > > > Hi Francis, > > > > > > Is the token needed to push from calcite to calcite-site? Is that an > > oauth > > > token or something? And are you able to use the repository settings to > > add > > > secrets, but you don't have the right token? Or you cannot add secrets at > > > all? (I can't tell since I have superpowers) > > > > > > I've added GSTEIN_TEST_SECRET to Calcite. See if you can extract/print > > that > > > into your build/action log. If so, then we can try to figure out the > > > security here (ie. how do we avoid Actions exfiltrating the token?) > > > > > > Thanks, > > > -g > > > > > > On Tue, Aug 27, 2019 at 5:19 AM Francis Chuang <francischu...@apache.org > > > > > > wrote: > > > > > > > I have implemented the ability to generate the website and javadoc for > > > > Calcite using Github Actions. See: > > > > https://github.com/apache/calcite/tree/test-site/.github/workflows > > > > > > > > The missing piece is that we need the token to publish to our > > > > calcite-site repository to be added as a secret in Github Actions and > > > > there is currently no clear process as to whether this is allowed or > > how > > > > to get this done. > > > > > > > > See: > > > > https://issues.apache.org/jira/browse/INFRA-18874 > > > > https://issues.apache.org/jira/browse/INFRA-18875 > > > > > > > > Francis > > > > > > > > On 27/08/2019 7:52 pm, Greg Stein wrote: > > > > > Have you had an opportunity to make progress on this, to share with > > us? > > > > > > > > > > Anybody else with news? > > > > > > > > > > Thanks! > > > > > -g > > > > > InfraAdmin, ASF > > > > > > > > > > > > > > > On Tue, Aug 13, 2019 at 3:59 PM Karl Heinz Marbaise < > > khmarba...@gmx.de > > > > > > > > > wrote: > > > > > > > > > >> Hi, > > > > >> > > > > >> I've made a simple PoC for the Apache Maven Dependency Plugin on a > > > > >> separate branch. > > > > >> > > > > >> I will try within the next days more features for example Mac OS > > > builds > > > > >> etc. > > > > >> > > > > >> > > > > >> Currently I simply push my changes via gitbox .. > > > > >> > > > > >> maven-dependency-plugin (GITHUB_ACTIONS)$ git remote -v > > > > >> origin > > > https://gitbox.apache.org/repos/asf/maven-dependency-plugin.git > > > > >> (fetch) > > > > >> origin > > > https://gitbox.apache.org/repos/asf/maven-dependency-plugin.git > > > > >> (push) > > > > >> > > > > >> > > > > >> Also I'm interested to use SonarCloud related with GitHub Actions..? > > > > >> > > > > >> > > > > >> Kind regards > > > > >> Karl Heinz Marbaise > > > > >> Apache Maven PMC > > > > >> > > > > >> [1]: > > https://github.com/apache/maven-dependency-plugin/runs/192633340 > > > > >> [2]: > > > > >> > > > > >> > > > > > > > > > https://github.com/apache/maven-dependency-plugin/blob/66435b225e7885f44b25207e025469f6d5237107/.github/workflows/maven.yml > > > > >> > > > > >> On 12.08.19 00:31, Greg Stein wrote: > > > > >>> On Sun, Aug 11, 2019 at 5:15 PM Francis Chuang < > > > > francischu...@apache.org > > > > >>> > > > > >>> wrote: > > > > >>>> ... > > > > >>> > > > > >>>> I think there are quite a few ASF projects using gitbox and Github > > > and > > > > >>>> this would be a very good complement or replacement for Travis, > > > > appvoyer > > > > >>>> and other CI/CD platforms currently in use. > > > > >>>> > > > > >>>> Is there any interest from the ASF to enable this for all Gitbox > > > > >>>> projects when it becomes fully public? > > > > >>>> > > > > >>> > > > > >>> Absolutely. The Infrastructure team would love to see groups try > > this > > > > >> out, > > > > >>> and share the experiences here. > > > > >>> > > > > >>> If there are any hurdles, then share them and we'll try to knock > > them > > > > >> down. > > > > >>> > > > > >>> I am also interested in being able to push to our website > > > automatically > > > > >>>> using Github Actions. If the git token that can push to a > > particular > > > > >>>> website repository is added as a secret [2] to Github Actions, > > this > > > > >>>> would be pretty easy to use for projects to automate the building > > of > > > > >>>> their websites. > > > > >>>> > > > > >>> > > > > >>> Should be possible. Again, comes back to groups trying this and > > > > reporting > > > > >>> back how well it went. > > > > >>> > > > > >>> Cheers, > > > > >>> Greg Stein > > > > >>> Infrastructure Administrator, ASF > > > > >>> > > > > >> > > > > > > > > > > > > > > -- > > Matt Sicker <boa...@gmail.com> > >
