[jira] [Work logged] (BEAM-11569) Github actions are failing on Beam repo

Thu, 07 Jan 2021 00:19:05 -0800 


     [ 
https://issues.apache.org/jira/browse/BEAM-11569?focusedWorklogId=532326&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-532326
 ]

ASF GitHub Bot logged work on BEAM-11569:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 07/Jan/21 08:18
            Start Date: 07/Jan/21 08:18
    Worklog Time Spent: 10m 
      Work Description: potiuk edited a comment on pull request #13679:
URL: https://github.com/apache/beam/pull/13679#issuecomment-755960446


   It is copied by me, indeed, but early warning - I will likely remove it soon 
(and recommend any project using it to switch to a new way of dealing with the 
problem we discussed yesterday).
   
   I highly recommend switching to submodule approach discussed in 
https://lists.apache.org/thread.html/rcf7f560dad70ed02d77ad131a670e24eb815e41f92a442a3153da98b%40%3Cbuilds.apache.org%3E
 
   
   The PR with working POC here: https://github.com/apache/airflow/pull/13514
   
   And just to comment on properties of this approach:
   
   This seems to works perfectly:
   
   1) It always links to particular SHA commit not branch
   2) No code duplication
   3) GitHub Review nicely incorporates the change code from submodules
   whenever submodule is updated, so it fits naturally in the review workflow.
   4) Seems that we can easily make it works with Github Actions (the
   submodule needs to be checked out in previous step of the job).
   5) It's even easier to pull new versions.
   6) It is equally easy to add any external action at any time
   7) Passes all the INFRA requirements re: review + SHA - without any checks
   
   Literally what we are trading of in the code is this:
   
   .gitmodules
   
   ```
   [submodule ".github/actions/get-workflow-origin"]
   path = .github/actions/get-workflow-origin
   url = https://github.com/potiuk/get-workflow-origin
   ```
   
   In your YAML:
   
   ```
         - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
           uses: actions/checkout@v2
           with:
             persist-credentials: false
             submodules: recursive
         - name: "Get information about the PR"
           uses: ./.github/actions/get-workflow-origin
           id: source-run-info
           with:
             token: ${{ secrets.GITHUB_TOKEN }}
   ```
   
   
   Where originally you'd have:
   
   ```
         - name: "Checkout ${{ github.ref }} ( ${{ github.sha }} )"
           uses: actions/checkout@v2
           with:
             persist-credentials: false
         - name: "Get information about the PR"
           uses:
   potiuk/get-workflow-origin@588cc14f9f1cdf1b8be3db816855e96422204fec  # v1_3
           id: source-run-info
           with:
             token: ${{ secrets.GITHUB_TOKEN }}
   ```
   
   The nice thing is that it fits very nicely into GitHub Review - GitHub 
understands submodules and the files brought in and changes are literally part 
of the reviewed files  (even i they are physically not in the repo). It also 
automatically links to the SHA commit (SHA commit is always stored in the git 
tree when you run  `git submodule add` or `git submodule update`. Also it does 
not change any workflow for your contributors. They do not have to know or use 
submodule, it is only needed by the CI and when you want to bring new version 
of an action.
   
   It seems this is a perfect solution and it is much more secure than directly 
linking to an external action - precisely because it nicely integrates in 
GitHub Review process when any changes are brought in.
   
   
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 532326)
    Time Spent: 4h  (was: 3h 50m)

> Github actions are failing on Beam repo
> ---------------------------------------
>
>                 Key: BEAM-11569
>                 URL: https://issues.apache.org/jira/browse/BEAM-11569
>             Project: Beam
>          Issue Type: Bug
>          Components: testing
>    Affects Versions: 2.27.0
>            Reporter: Ahmet Altay
>            Assignee: Pablo Estrada
>            Priority: P0
>          Time Spent: 4h
>  Remaining Estimate: 0h
>
> As a result of https://issues.apache.org/jira/browse/INFRA-21234 github 
> actions on Beam repo are failing.
> This is currently blocking 2.27.0 release because building wheel files depend 
> on github actions. So far we identified 2 github actions that may need to be 
> addressed:
> ad-m/github-push-action
> potiuk/cancel-workflow-runs
> Error looks like https://github.com/apache/beam/actions/runs/458287140
> """
> ad-m/github-push-action@master is not allowed to be used in apache/beam. 
> Actions in this workflow must be: created by GitHub, verified in the GitHub 
> Marketplace, within a repository owned by apache or match the following: 
> apache/, gradle/wrapper-validation-action, gradle/wrapper-validation-action@, 
> peter-evans/create-pull-request@, dawidd6/action-download-artifact@, 
> scacap/action-surefire-report@*. 
> """
> /cc [~potiuk] [~tysonjh]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to