Closed #5267 as completed.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#event-15314686137
You are receiving this because you are subscribed to this thread.
Message ID:
___
rai
Yes I believe so.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2479307792
You are receiving this because you are subscribed to this thread.
Message ID:
___
rails-
Can we close this now after #5295 is merged?
Thanks!
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2479295689
You are receiving this because you are subscribed to this thread.
Message ID:
__
_I'm moving the discussion from #5290 over to this issue..._
I had some issues with danger not being able to correctly process #5080. I can
also reproduce the issue in the danger test repo:
https://github.com/openstreetmap/danger-test/pull/5
--
Reply to this email directly or view it on Gi
Danger starts failing once the PR has >= 20 commits:
https://github.com/openstreetmap/danger-test/pull/6
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2440147247
You are receiving this because you are subscri
Well that's interesting because
https://github.com/danger/danger/blob/53ebd6415175ac7611b8605d5c8d20905268404c/lib/danger/scm_source/git_repo.rb#L85-L91
is the key code and that is supposed to try four passes.
The first pass looks at a depth of 20 but if that fails it should retry to 74,
222 an
Could it be that danger is checking a certain number of commits by default
only? I tried adding one commit at a time in
https://github.com/openstreetmap/danger-test/pull/6, and it worked at least up
to 15 commits. The failing PR had 20 commits.
--
Reply to this email directly or view it on Git
I'm trying the complex scenario with 2 CI steps. I've started with the second
half that's updating the pull request:
https://github.com/test-9bf40560-ba4d/dangertest/pull/7
Have you tried to post some comments and fail the build in case of issues?
--
Reply to this email directly or view it on
I've opened https://github.com/danger/danger/pull/1501 for upstream that I
believe should fix things...
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2436035422
You are receiving this because you are subscrib
> I'm explicitly passing it's hash as the head. [...] PR branch should still be
> present and accessible.
I suspect that there must be more to pull_request_target to prevent untrusted
code from accidentally being executed with elevated privileges...
--
Reply to this email directly or view it
I've taken my question over to
https://github.com/danger/danger/issues/1103#issuecomment-2430080724
Maybe you can keep an eye the discussion over there a bit. We probably need to
move to danger-js.
https://danger.systems/js/usage/danger-process as proposed in one answer seems
to fit nicely to
That's not in any way relevant - it's running in the context of the base branch
(master) in my repo as well but the target is still there and I'm explicitly
passing it's hash as the head.
All pull_request_target means is that it doesn't merge the PR branch into
master before running, so that th
Yes, it's a security feature:
https://github.blog/news-insights/product-news/github-actions-improvements-for-fork-and-pull-request-workflows/
_-> new pull_request_target event [...] runs against the workflow and code
from the base of the pull request. This means the workflow is running from a
It worked for
https://github.com/tomhughes/openstreetmap-website/actions/runs/11465903348 so
it must be something specific to cross-repo PRs :-(
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2429953036
You a
It seems it's still failing:
https://github.com/openstreetmap/openstreetmap-website/actions/runs/11466048440/job/31905883310?pr=5270
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2429943268
You are receiving
I did some testing in my fork and I'm hopeful that
8e54d0f2aeaad8648a60e4685fa64380c45c5631 will actually fix it.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2429930890
You are receiving this because you ar
https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
might be interesting. It describes a set up, where untrusted code is processed
by an `on: pull_request` step (which has access to the pull request). In this
step we could run danger, similar to what chef/chef is doi
The token is not the problem - the problem is getting it to find the commits.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2428964609
You are receiving this because you are subscribed to this thread.
Message
It seems GitHub also supports [tokens with fine-grained set
permissions](https://docs.github.com/en/rest/authentication/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28),
although they are still in Beta. Using these we can set write permissions for
labels only.
I think that's fine. Log files from 3 weeks ago show that danger was running
back then:
https://github.com/danger/danger/actions/runs/11090746237/job/30813474684
--
Reply to this email directly or view i
Incidentally the "example" in the danger repo at
https://github.com/danger/danger/blob/master/.github/workflows/CI.yml is not
what it seems - if you look closely it never actually runs danger, it just
echos the command that would run it!
--
Reply to this email directly or view it on GitHub:
ht
I found another alternative in https://github.com/chef/chef/pull/14134, which
is danger-js. It seems to work on a forked repo pull request:
The output is a bit buried in gh action logs. Fancy things like se
https://github.com/openstreetmap/openstreetmap-website/actions/runs/11407724340/job/31744367292
seems to be doing a bit better. I have replaced `pull_request_target:
types: [opened, synchronize]` by `on: [pull_request]`.
The token doesn't have access to remove or add labels:
```
Error me
What about RUNNING_IN_ACTIONS=true ? This seems to be still missing.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2421500814
You are receiving this because you are subscribed to this thread.
Message ID:
___
I haven’t checked the code before. They’re using it in their own Dangerfile to
control junit reporting. So it’s really irrelevant for us:
https://github.com/danger/danger/blob/cd913ea817a2fb9536172597303d78492a727668/Dangerfile#L56
--
Reply to this email directly or view it on GitHub:
https://g
Because it serves no purpose - nothing in the danger code ever looks at that.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2421502966
You are receiving this because you are subscribed to this thread.
Message
I've just created a new PR, let's see how it goes.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2420157110
You are receiving this because you are subscribed to this thread.
Message ID:
_
Let's see if
https://github.com/openstreetmap/openstreetmap-website/commit/6d0c2913326fbfdf3578416853e31d7a950d97ed
helps...
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2420131259
You are receiving this be
The automatic token should be fine if we do things right - no need to configure
a separate one.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2420127660
You are receiving this because you are subscribed to th
I wouldn't use my own account to create the token, and rather create some new
"OSM Danger Bot" GH account. You could also keep that token secret and
reference it by variable name only.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/i
Yes but having seen how they configure their own secret I'm not trusting them
to tell me how to do it! Working on a proper solution now...
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2420114844
You are rece
One of the links I've posted mentioned "public_repo" scope, that's read only
access to public repos.
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2420107906
You are receiving this because you are subscribed
No we don't have an enterprise account. What permissions exactly will the token
need?
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2420066507
You are receiving this because you are subscribed to this thread.
> ...
> Run bundle exec danger --verbose
> To use retry middleware with Faraday v2.0+, install `faraday-retry` gem
> To use multipart middleware with Faraday v2.0+, install `faraday-multipart`
> gem; note: this is used by the ManageGHES client for uploading licenses
> fatal: couldn't find remote r
It seems this Danger issue might be related:
https://github.com/danger/danger/issues/1103
--
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/issues/5267#issuecomment-2417742102
You are receiving this because you are subscribed to this thr
I merged the Danger PR (#4988) earlier, but as @tomhughes pointed out, [it
doesn't appear to be
working](https://github.com/openstreetmap/openstreetmap-website/actions/runs/11370083928/job/31629028217?pr=5266):
```
Run bundle exec danger --verbose
To use retry middleware with Faraday v2.0+, inst
36 matches
Mail list logo
