Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: enable pull requests to publish a preview #11

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

docs: enable pull requests to publish a preview #11

wants to merge 2 commits into from

Conversation

AlexanderLanin
Copy link

@AlexanderLanin AlexanderLanin commented Jan 15, 2025
edited
Loading

We have an action running, which will publish pull request previews into /pr-123 subdirectories in gh-pages. However that action currently cannot push to gh-pages branch.

GITHUB_TOKEN is currently allowed to push to branches when running for branch builds, but it's disabled when running from PR builds. This PR adjusts the relevant setting.

note: there is contradicting information on the internet regarding how 'default workflow permissions' behave. But it seems (as evidenced in this case), that the interpretation of it serving as a maximum is correct. Workflows cannot elevate themselves to write, when the default is set to read-only.

If your repository's Actions permissions setting is set to "Read repository contents permission" (default), the permissions block in the workflow cannot elevate permissions to write.
The permissions block refines or restricts permissions within the limits set by the repository settings. It cannot bypass those limits.

Examples of default_workflow_permissions in combination with gh-pages:

@AlexanderLanin AlexanderLanin requested a review from a team as a code owner January 15, 2025 21:37
@eclipse-otterdog Eclipse OtterDog
Copy link
Contributor

Thank you for raising a pull request to update the configuration of your GitHub organization.
You can manually add reviewers to this PR to eventually enable auto-merging.

The following conditions need to fulfilled for auto-merging to be available:

  • valid configuration
  • approved by a project lead
  • does not require any secrets
  • does not update settings only accessible via the GitHub Web UI
  • does not remove any resource
Otterdog commands and options

You can trigger otterdog actions by commenting on this PR:

  • /otterdog team-info checks the team / org membership for the PR author
  • /otterdog validate validates the configuration change
  • /otterdog validate info validates the configuration change, printing also validation infos
  • /otterdog check-sync checks if the base ref is in sync with live settings
  • /otterdog merge merges and applies the changes if the PR is eligible for auto-merging (only accessible for the author)
  • /otterdog done notifies the self-service bot that a required manual apply operation has been performed (only accessible for members of the admin team)
  • /otterdog apply re-apply a previously failed attempt (only accessible for members of the admin team)

@eclipse-otterdog Eclipse OtterDog
Copy link
Contributor

The author (AlexanderLanin) of this PR is associated with this organization in the role of NONE.

@eclipse-otterdog Eclipse OtterDog

This comment has been minimized.

Sign in to view
@eclipse-otterdog Eclipse OtterDog

This comment has been minimized.

Sign in to view
@netomi
Copy link
Contributor

netomi commented Jan 16, 2025

/otterdog validate info

@eclipse-otterdog Eclipse OtterDog
Copy link
Contributor

Please find below the validation of the requested configuration changes:

Diff for 70ece1c 
Project automotive.score[github_id=eclipse-score]
+                                                                                                             
+ Info:   repository[name=".github"] has 'actions_can_approve_pull_request_reviews' enabled, while on         
+         organization level it is disabled, setting will be ignored.                                         
+                                                                                                             
+                                                                                                             
+ Info:   repository[name="bazel_registry"] has 'actions_can_approve_pull_request_reviews' enabled, while on  
+         organization level it is disabled, setting will be ignored.                                         
+                                                                                                             
+                                                                                                             
+ Info:   repository[name="eclipse-score.github.io"] has 'actions_can_approve_pull_request_reviews' enabled,  
+         while on organization level it is disabled, setting will be ignored.                                
+                                                                                                             
+                                                                                                             
+ Info:   repository[name="inc_feo"] has 'actions_can_approve_pull_request_reviews' enabled, while on         
+         organization level it is disabled, setting will be ignored.                                         
+                                                                                                             
+                                                                                                             
+ Info:   repository[name="inc_mw_com"] has 'actions_can_approve_pull_request_reviews' enabled, while on      
+         organization level it is disabled, setting will be ignored.                                         
+                                                                                                             
+                                                                                                             
+ Info:   repository[name="inc_mw_log"] has 'actions_can_approve_pull_request_reviews' enabled, while on      
+         organization level it is disabled, setting will be ignored.                                         
+                                                                                                             
+                                                                                                             
+ Info:   repository[name="inc_mw_per"] has 'actions_can_approve_pull_request_reviews' enabled, while on      
+         organization level it is disabled, setting will be ignored.                                         
+                                                                                                             
+                                                                                                             
+ Info:   repository[name="process_description"] has 'actions_can_approve_pull_request_reviews' enabled,      
+         while on organization level it is disabled, setting will be ignored.                                
+                                                                                                             
+                                                                                                             
+ Info:   repository[name="reference_integration"] has 'actions_can_approve_pull_request_reviews' enabled,    
+         while on organization level it is disabled, setting will be ignored.                                
+                                                                                                             
+                                                                                                             
+ Info:   repository[name="score"] has 'default_workflow_permissions' of value 'write', while on              
+         organization level it is restricted to 'read', setting will be ignored.                             
+                                                                                                             
+                                                                                                             
+ Info:   repository[name="score"] has 'actions_can_approve_pull_request_reviews' enabled, while on           
+         organization level it is disabled, setting will be ignored.                                         
+                                                                                                             
  
  Plan: 0 to add, 0 to change, 0 to delete.

@netomi
Copy link
Contributor

netomi commented Jan 16, 2025

so overwriting specific settings on repo level while on org level it is more restricted does not work and the setting will be ignored.

In your case, you should adapt the workflow to specify the required permission it needs, see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token

@AlexanderLanin
Copy link
Author

@netomi sorry I was unclear. That's what we tried already. It doesn't help. And it seems this does not work because it cannot have more access than the "default". At least that's how I understand it at the moment.

https://github.com/eclipse-score/score/blob/6991a3e00a97c0e74df267f74b9e88b3137b56ef/.github/workflows/docs.yml#L44-L47

@netomi
Copy link
Contributor

netomi commented Jan 16, 2025

it does not work for PRs from forks. In such cases the workflow will not get write tokens. This is the default behavior of GitHub. So there are workarounds that we applied for several projects, see for example https://github.com/eclipse-langium/langium-website/blob/main/.github/workflows/preview.yml

@AlexanderLanin AlexanderLanin mentioned this pull request Jan 16, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@AlexanderLanin @netomi