Re: Github Actions

Francis Chuang Wed, 28 Aug 2019 02:23:52 -0700

Hi Greg,

Yes, the token is needed to push to calcite-site as we are running thejob in the calcite repository. In terms of the token, if we are pushingto the calcite-site using Gitbox, then the token would be the one thatis currently used in the git-websites node on Jekins. If we want to pushdirectly to the Github calcite-site repository, then the token wouldprobably be a Personal Access Token for the Apache org on Github (not100% sure on this, but I think this is the case to the best of myunderstanding).

We currently don't have ability to add secrets to Github Actions at all.However, this isn't a huge problem for us at the moment. We currentlyjust need the Gitbox token on git-websites (which we do not have directaccess to) or a Github Personal Access Token added to our repositories.

I have added an action to print GSTEIN_TEST_SECRET. See this run here:https://github.com/apache/calcite/runs/205292835


I don't know the original value of the secret, but it prints as "***".

Francis

On 28/08/2019 11:32 am, Greg Stein wrote:

Hi Francis,

Is the token needed to push from calcite to calcite-site? Is that anoauth token or something? And are you able to use the repositorysettings to add secrets, but you don't have the right token? Or youcannot add secrets at all? (I can't tell since I have superpowers)

I've added GSTEIN_TEST_SECRET to Calcite. See if you can extract/printthat into your build/action log. If so, then we can try to figure outthe security here (ie. how do we avoid Actions exfiltrating the token?)


Thanks,
-g

On Tue, Aug 27, 2019 at 5:19 AM Francis Chuang <francischu...@apache.org<mailto:francischu...@apache.org>> wrote:


    I have implemented the ability to generate the website and javadoc for
    Calcite using Github Actions. See:
    https://github.com/apache/calcite/tree/test-site/.github/workflows

    The missing piece is that we need the token to publish to our
    calcite-site repository to be added as a secret in Github Actions and
    there is currently no clear process as to whether this is allowed or
    how
    to get this done.

    See:
    https://issues.apache.org/jira/browse/INFRA-18874
    https://issues.apache.org/jira/browse/INFRA-18875

    Francis

    On 27/08/2019 7:52 pm, Greg Stein wrote:
     > Have you had an opportunity to make progress on this, to share
    with us?
     >
     > Anybody else with news?
     >
     > Thanks!
     > -g
     > InfraAdmin, ASF
     >
     >
     > On Tue, Aug 13, 2019 at 3:59 PM Karl Heinz Marbaise
    <khmarba...@gmx.de <mailto:khmarba...@gmx.de>>
     > wrote:
     >
     >> Hi,
     >>
     >> I've made a simple PoC for the Apache Maven Dependency Plugin on a
     >> separate branch.
     >>
     >> I will try within the next days more features for example Mac OS
    builds
     >> etc.
     >>
     >>
     >> Currently I simply push my changes via gitbox ..
     >>
     >> maven-dependency-plugin (GITHUB_ACTIONS)$ git remote -v
     >> origin
    https://gitbox.apache.org/repos/asf/maven-dependency-plugin.git
     >> (fetch)
     >> origin
    https://gitbox.apache.org/repos/asf/maven-dependency-plugin.git
     >> (push)
     >>
     >>
     >> Also I'm interested to use SonarCloud related with GitHub Actions..?
     >>
     >>
     >> Kind regards
     >> Karl Heinz Marbaise
     >> Apache Maven PMC
     >>
     >> [1]:
    https://github.com/apache/maven-dependency-plugin/runs/192633340
     >> [2]:
     >>
     >>
    
https://github.com/apache/maven-dependency-plugin/blob/66435b225e7885f44b25207e025469f6d5237107/.github/workflows/maven.yml
     >>
     >> On 12.08.19 00:31, Greg Stein wrote:
     >>> On Sun, Aug 11, 2019 at 5:15 PM Francis Chuang
    <francischu...@apache.org <mailto:francischu...@apache.org>
     >>>
     >>> wrote:
     >>>> ...
     >>>
     >>>> I think there are quite a few ASF projects using gitbox and
    Github and
     >>>> this would be a very good complement or replacement for
    Travis, appvoyer
     >>>> and other CI/CD platforms currently in use.
     >>>>
     >>>> Is there any interest from the ASF to enable this for all Gitbox
     >>>> projects when it becomes fully public?
     >>>>
     >>>
     >>> Absolutely. The Infrastructure team would love to see groups
    try this
     >> out,
     >>> and share the experiences here.
     >>>
     >>> If there are any hurdles, then share them and we'll try to
    knock them
     >> down.
     >>>
     >>> I am also interested in being able to push to our website
    automatically
     >>>> using Github Actions. If the git token that can push to a
    particular
     >>>> website repository is added as a secret [2] to Github Actions,
    this
     >>>> would be pretty easy to use for projects to automate the
    building of
     >>>> their websites.
     >>>>
     >>>
     >>> Should be possible. Again, comes back to groups trying this and
    reporting
     >>> back how well it went.
     >>>
     >>> Cheers,
     >>> Greg Stein
     >>> Infrastructure Administrator, ASF
     >>>
     >>
     >

Re: Github Actions

Reply via email to