potiuk edited a comment on pull request #13679: URL: https://github.com/apache/beam/pull/13679#issuecomment-755960446
It is copied by me, indeed, but early warning - I will likely remove it soon (and recommend any project using it to switch to a new way of dealing with the problem we discussed yesterday) I highly recommend witching to submodule approach discussed in https://lists.apache.org/thread.html/rcf7f560dad70ed02d77ad131a670e24eb815e41f92a442a3153da98b%40%3Cbuilds.apache.org%3E The PR with working POC here: https://github.com/apache/airflow/pull/13514 And just to comment on properties of this approach: This seems to works perfectly: 1) It always links to particular SHA commit not branch 2) No code duplication 3) GitHub Review nicely incorporates the change code from submodules whenever submodule is updated, so it fits naturally in the review workflow. 4) Seems that we can easily make it works with Github Actions (the submodule needs to be checked out in previous step of the job). 5) It's even easier to pull new versions. 6) It is equally easy to add any external action at any time 7) Passes all the INFRA requirements re: review + SHA - without any checks Literally what we are trading of in the code is this: .gitmodules ``` [submodule ".github/actions/get-workflow-origin"] path = .github/actions/get-workflow-origin url = https://github.com/potiuk/get-workflow-origin ``` In your YAML: ``` - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 with: with: persist-credentials: false submodules: recursive - name: "Get information about the PR" uses: ./.github/actions/get-workflow-origin id: source-run-info with: token: ${{ secrets.GITHUB_TOKEN }} ``` Where originally you'd have: ``` - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )" uses: actions/checkout@v2 with: with: persist-credentials: false - name: "Get information about the PR" uses: potiuk/get-workflow-origin@588cc14f9f1cdf1b8be3db816855e96422204fec # v1_3 id: source-run-info with: token: ${{ secrets.GITHUB_TOKEN }} ``` The nice thing is that it fits very nicely into GitHub Review - GitHub understands submodules and the files brought in and changes are literally part of the reviewed files (even i they are physically not in the repo). It also automatically links to the SHA commit (SHA commit is always stored in the git tree when you run `git submodule add` or `git submodule update`. Also it does not change any workflow for your contributors. They do not have to know or use submodule, it is only needed by the CI and when you want to bring new version of an action. It seems this is a perfect solution and it is much more secure than directly linking to an external action - precisely because it nicely integrates in GitHub Review process when any changes are brought in. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
