Skip to content

ci: unify secrets in GitHub Actions #557

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
May 18, 2024
Merged

ci: unify secrets in GitHub Actions #557

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6bbe09b
ci: unify secrets on GitHub
huxuan May 17, 2024
be3042d
update template
huxuan May 17, 2024
b6d8297
warn if use GITHUB_TOKEN in renovate
huxuan May 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion .github/workflows/renovate.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,15 +24,21 @@ jobs:
with:
app-id: ${{ vars.BOT_APP_ID }}
private-key: ${{ secrets.BOT_PRIVATE_KEY }}
- name: Warn if use GITHUB_TOKEN
run: |
if [ -z "${{ steps.generate-token.outputs.token || secrets.PAT }}" ]; then
echo "# :warning: GITHUB_TOKEN is used for renovate" >> $GITHUB_STEP_SUMMARY
echo "The GITHUB_TOKEN is used instead of a bot token or PAT and will not emit the checks for the pull requests." >> $GITHUB_STEP_SUMMARY
fi
- name: Warn if RENOVATE_GIT_AUTHOR is set while using GitHub App token
if: steps.generate-token.outputs.token && vars.RENOVATE_GIT_AUTHOR
run: |
echo "# :warning: `RENOVATE_GIT_AUTHOR` is set explicitly while using GitHub App token" >> $GITHUB_STEP_SUMMARY
echo "Generally, Renovate automatically detects the git author and email using the token. However, explicitly setting the `RENOVATE_GIT_AUTHOR` will override this behavior." >> $GITHUB_STEP_SUMMARY
- name: Run Renovate
env:
RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN || steps.generate-token.outputs.token }}
RENOVATE_GIT_AUTHOR: ${{ vars.RENOVATE_GIT_AUTHOR }}
RENOVATE_TOKEN: ${{ steps.generate-token.outputs.token || secrets.PAT || secrets.GITHUB_TOKEN }}
run: |
if [ -z "$RENOVATE_TOKEN" ]; then
echo "RENOVATE_TOKEN is not properly configured, skipping ..."
Expand Down
4 changes: 2 additions & 2 deletions docs/management/config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ There are several configurations to utilize the features provided by the project
1. Set the **variable** `PDM_PUBLISH_REPO`, the repository (package index) URL to upload the package which defaults to `https://pypi.org`, the official PyPI.
1. Set the **variable** `PDM_PUBLISH_USERNAME`, the username to authenticate to the repository (package index) which defaults to `__token__`, used for [API token](https://pypi.org/help/#apitoken).
1. Set the **secret** `PDM_PUBLISH_PASSWORD`, the password to authenticate to the repository (package index).
1. Renovate authentication:
1. Renovate & semantic-release authentication:

There are two approaches, either with GitHub App or with personal access token (classic). GitHub App is the more recommended way to avoid the issues and pull requests tied to a particular user.

Expand All @@ -43,7 +43,7 @@ There are several configurations to utilize the features provided by the project

:::{tab-item} personal access token (classic)
1. [Create a personal access token (classic)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) with **workflow** scope.
1. Navigate to the [Actions secrets and variables](https://github.com/serious-scaffold/ss-python/settings/secrets/actions) settings and set the token as a **secret** `RENOVATE_TOKEN`.
1. Navigate to the [Actions secrets and variables](https://github.com/serious-scaffold/ss-python/settings/secrets/actions) settings and set the token as a **secret** `PAT`.
:::

::::
Expand Down
8 changes: 7 additions & 1 deletion template/[% if repo_platform == 'github' %].github[% endif %]/workflows/renovate.yml.jinja
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,15 +28,21 @@ jobs:
with:
app-id: {{ '${{ vars.BOT_APP_ID }}' }}
private-key: {{ '${{ secrets.BOT_PRIVATE_KEY }}' }}
- name: Warn if use GITHUB_TOKEN
run: |
if [ -z "{{ '${{ steps.generate-token.outputs.token || secrets.PAT }}' }}" ]; then
echo "# :warning: GITHUB_TOKEN is used for renovate" >> $GITHUB_STEP_SUMMARY
echo "The GITHUB_TOKEN is used instead of a bot token or PAT and will not emit the checks for the pull requests." >> $GITHUB_STEP_SUMMARY
fi
- name: Warn if RENOVATE_GIT_AUTHOR is set while using GitHub App token
if: steps.generate-token.outputs.token && vars.RENOVATE_GIT_AUTHOR
run: |
echo "# :warning: `RENOVATE_GIT_AUTHOR` is set explicitly while using GitHub App token" >> $GITHUB_STEP_SUMMARY
echo "Generally, Renovate automatically detects the git author and email using the token. However, explicitly setting the `RENOVATE_GIT_AUTHOR` will override this behavior." >> $GITHUB_STEP_SUMMARY
- name: Run Renovate
env:
RENOVATE_TOKEN: {{ '${{ secrets.RENOVATE_TOKEN || steps.generate-token.outputs.token }}' }}
RENOVATE_GIT_AUTHOR: {{ '${{ vars.RENOVATE_GIT_AUTHOR }}' }}
RENOVATE_TOKEN: {{ '${{ steps.generate-token.outputs.token || secrets.PAT || secrets.GITHUB_TOKEN }}' }}
run: |
if [ -z "$RENOVATE_TOKEN" ]; then
echo "RENOVATE_TOKEN is not properly configured, skipping ..."
Expand Down
4 changes: 2 additions & 2 deletions template/docs/management/config.md.jinja
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ There are several configurations to utilize the features provided by the project
1. Set the **variable** `PDM_PUBLISH_REPO`, the repository (package index) URL to upload the package which defaults to `https://pypi.org`, the official PyPI.
1. Set the **variable** `PDM_PUBLISH_USERNAME`, the username to authenticate to the repository (package index) which defaults to `__token__`, used for [API token](https://pypi.org/help/#apitoken).
1. Set the **secret** `PDM_PUBLISH_PASSWORD`, the password to authenticate to the repository (package index).
1. Renovate authentication:
1. Renovate & semantic-release authentication:

There are two approaches, either with GitHub App or with personal access token (classic). GitHub App is the more recommended way to avoid the issues and pull requests tied to a particular user.

Expand All @@ -43,7 +43,7 @@ There are several configurations to utilize the features provided by the project

:::{tab-item} personal access token (classic)
1. [Create a personal access token (classic)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens#creating-a-personal-access-token-classic) with **workflow** scope.
1. Navigate to the [Actions secrets and variables](https://github.com/{{ repo_namespace }}/{{ repo_name }}/settings/secrets/actions) settings and set the token as a **secret** `RENOVATE_TOKEN`.
1. Navigate to the [Actions secrets and variables](https://github.com/{{ repo_namespace }}/{{ repo_name }}/settings/secrets/actions) settings and set the token as a **secret** `PAT`.
:::

::::
Expand Down