-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: update CI step for creating changesets + reporting coverage #2305
Conversation
I'd personally revert and re-evaluate our overall strategy. There are security considerations to be had when elevating permissions and we should understands the risks fully before doing so IMO.
|
The rationale here is that we don't need to report coverage for dependabot PRs given an upgrade in a dependency would not result in a difference in the coverage, there is nothing in the workflows to suggest that the
Consider the two branches:
My understanding when adding the Interested to hear others thoughts @nedsalk @Torres-ssf @arboleya @Dhaiwat10 @danielbate |
This is set in the repository settings rather than in the workflow. @arboleya can set this / change it to I think we should be adding changesets for dependabot PRs, should these introduce issues it'll make them easier to patch. My concern is that if the perms were not correct for coverage reporting, I'd assume changeset creation would be similar. Testing @fuel-service-user is a good move but we should do this sooner rather than later, and if it proves unsuccessful we should revert #2295 and test in isolation. |
@maschad I won't be able to follow up on this soon. I suggest you guys do huddle/call about it to be more productive and reach a consensus. If the revert is the solution for now, so be it. Otherwise, whatever fixes the problem, fix the problem. We need to get those workflows green again. |
45834ea
to
2eb7bbb
Compare
a06e486
to
91b881f
Compare
I realize that we may have overcomplicated things. We can simply change the workflow to have write permissions and then only run this job when it is dependabot acting , I took inspiration from the common dependabot operations |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Has this been tested on a fork?
Unfortunately that's not possible (with good reason) as you can imagine the implications of allowing someone who doesn't have write permissions to a repository but could configure GitHub Actions to respond to do so. |
Co-authored-by: Peter Smith <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Happy to approve 🍏 Can't see anything that could block the CI like the previous iterations.
Still skeptical if this will work, as I believe dependabot will not be able to request the permissions that are required (akin to externals forks).
@petertonysmith94 that's valid. It's not exactly clear in the Github documentation, suggests we can use the permissions key in our workflow to increase the access for the |
Coverage Report:
Changed Files:Coverage values did not change👌. |
This also relocates the
create-changesets
job to the PR-lint step so that in the case where dependabot does open the PR, that step is run before it's linted.Closes #2320