Add GitHub Action to trigger vTDS test deployment#62
Open
davidfluck-hpe wants to merge 1 commit into
Open
Conversation
This changeset adds a GitHub Action that will trigger vTDS deployments from pull request branches when an approved user (i.e. one with writer, maintaner, or admin permissions) comments /deploy on a pull request. The action will then deploy the HEAD of the PR branch. It does this primarily with github-script@v9, which is a GitHub-provided utility action for interacting with the GitHub API in a more friendly manner via JavaScript. That code looks for the /deploy comment, checks it against the commenter's repository access, and then triggers a deployment if the user has the correct acess. This functionality sidesteps several GitHub Actions-related security risks, especially if pull requests are made from forks. Signed-off-by: David Fluck <david.fluck@hpe.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Template
Description
This changeset adds a GitHub Action that will trigger vTDS deployments from pull request branches when an approved user (i.e. one with writer, maintianer, or admin permissions) comments /deploy on a pull request. The action will then deploy the HEAD of the PR branch.
It does this primarily with github-script@v9, which is a GitHub-provided utility action for interacting with the GitHub API in a more friendly manner via JavaScript. That code looks for the
/deploycomment, checks it against the commenter's repository access, and then triggers a deployment if the user has the correct acess.This functionality sidesteps several GitHub Actions-related security risks, especially if pull requests are made from forks.
Additional work
This requires some out-of-band work that only a select few admins/org owners can provide, namely:
The OpenCHAMI GitHub App is necessary for the action to do things like read PR comments, while the Cray-HPE GitHub App is necessary to trigger the
workflow_dispatchendpoint to kick off the vTDS deployment action.Then, the following secrets need to be created within the OpenCHAMI/release repository:
OCHAMI_APP_CLIENT_ID: the installed OpenCHAMI GitHub App client IDOCHAMI_APP_PRIVATE_KEY: the installed OpenCHAMI GitHub App private keyAdditionally, the following secrets need to be created within the Cray-HPE/openchami-vtds repository:
HPE_APP_CLIENT_ID: the installed HPE GitHub App client IDHPE_APP_PRIVATE_KEY: the installed HPE GitHub App private keyCaveats
Testing this involved working from private repositories under the same GitHub user, which changes the permissions structure a bit. I believe the
github-scriptcode should work as written, but there's a small chance there's a syntax error or something; it's just difficult to test cross-org permissions stuff like this. I'm happy to fix anything that breaks, just let me know.Checklist
make test(or equivalent) locally and all tests passgit commit -s) with my real name and email<filename>.licensesidecarLICENSES/directoryType of Change
For more info, see Contributing Guidelines.