Skip to content

Latest commit

 

History

History
88 lines (67 loc) · 3.09 KB

notes.md

File metadata and controls

88 lines (67 loc) · 3.09 KB
Raw

Notes

CI/CD

The main branch has comprehensive branch protections including requiring a Pull Request. This prevents python-semantic-release from pushing commits to the main branch when it bumps the version (and modifies the changelog).

There are a couple of possible solutions to this.

Unfortunately both solutions require the branch protection to allow admin uers the ability to bypass branch protections. To stop yourself from mistakenly pushing to the protected main branch from the CLI one can use a simple hack: git config --global branch.main.pushRemote no_push. This configures the remote for the main branch to the non-existent no_push remote. Trying to git push will cause an error because the remote cannot be found.

CI/CD with Personal Access Token

We will create a PAT (Personal Access Token) and explicitly give it permission to "bypass branch protections". The Github Action will have to be configured to use this specific PAT instead of the auto-generated per-workflow Github Access Token which does not have the required permission to push commits to a protected branch.

Create Personal Access Token

  1. In Github nagivate to (Personal) Settings > Developer Settings > Personal Access Tokens > Fine-grained tokens > Generate new token

  2. Limit repository access to just this repo.

  3. Set the following Repository Permissions:

    1. Administration: Read and Write
    2. Contents: Read and Write
    3. Metadata: Read-only (Mandatory)

  4. Leave everything else set to "No Access".

  5. Click Generate Token

  6. Copy generated token and place it in the repo's Github Actions Secrets with name PAT (Repo Settings > Secrets and variables > Actions > New repository secret)

Checkout code

By default the checkout action uses a one-time Github token. Since we want to use the PAT we need to configure the checkout action to use it.

- name: Checkout repository
  uses: actions/checkout@v2
  with:
    fetch-depth: 0  # semantic-release needs access to all previous commits
    token: ${{ secrets.PAT }}

Avoid workflow recursion

Since our release job is pushing a commit to the main branch there is a possibility of workflow recursion.

Github Actions deals with this automatically if the per-workflow Github token is used. We are using an admin PAT so will have to deal with recursion ourselves.

To avoid that we add an if condition to the version job so that it is skipped if the top commit is authored by "semantic-release", the user which python-semantic-release uses to push the bumped version commit.

release:
    if: github.event.commits[0].author.name != 'semantic-release'

PyPI Publication

  1. Login to https://test.pypi.org/

  2. Select your project

  3. Click on the Manage button

  4. In the left-pane click Publishing

  5. Enable two-factor authentication (this is prerequisite for using Trusted Publishers)

  6. Github is currently the only trusted publisher. Configure it:

    1. Owner: abid-mujtaba
    2. Repository: testing-fixtures
    3. Workflow name: deploy.yml (should be inside .github/workflows/)
    4. No environment set