Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow to Use Custom Git Actor for Bundled JS Output #14

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Allow to Use Custom Git Actor for Bundled JS Output #14

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8f06c53
feat: allow to use custom actor
DavideIadeluca Oct 18, 2024
39874e6
chore: new inputs
DavideIadeluca Oct 19, 2024
f1fd2f0
docs: add tutorial section
DavideIadeluca Oct 19, 2024
db7012b
chore: minor doc fix
DavideIadeluca Nov 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 69 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
Here is a full list of options available using the `with` syntax:

| Name | Required | Description | Example | Default |
|------------------------| -------- |-------------------------------------------------------------------------------------------------------------------------|-------------------------------| ------- |
| ---------------------- | -------- | ----------------------------------------------------------------------------------------------------------------------- | ----------------------------- | ------- |
| `github_token` | Yes | Your Actions GitHub token. The example value should work for this by default. | `${{ secrets.GITHUB_TOKEN }}` | None |
| `build_script` | Yes | The `package.json` script to run to build your extension JS. | `build` | `build` |
| `build_typings_script` | No | If defined, runs the script of this name in `package.json` to build typings for your extension. | `build-typings` | Unset |
Expand All @@ -49,13 +49,81 @@ Here is a full list of options available using the `with` syntax:
| `do_not_commit` | No | Set to `true` to NOT commit the built JS/Typings. Useful for validating JS source. | `false` | `false` |
| `checks` | No | An array of strings, where each is a script that should be run before committing built js. | `false` | `false` |
| `commit_all_dirty` | No | Set to `true` to commit all file changes, not just files in the dist JS directory. | `false` | `false` |
| `git_actor_name` | No | Allows to set a different username (normally `flarum-bot`) for the actor which commits the bundles JS. | `acme-bot` | Unset |
| `git_actor_email` | No | Allows to set a different email for the actor which commits the bundled JS. | `[email protected]` | Unset |

### Assumptions

Your Javascript must be in a `js` folder, similar to how Flarum core and Flarum's first-party extensions are laid out.

If building typings, we assume that they are built to `js/dist-typings`, as set in the example `tsconfig.json` found on the [flarum-tsconfig](https://github.com/flarum/flarum-tsconfig).

## Setting Up Custom Git Actor for Frontend Workflow

This guide helps you configure a custom Git actor in your extension's frontend workflow, specifically useful if your organization enforces branch protection rules requiring pull requests for changes to the default branch.

### Basic Configuration (Light Version)

To change the actor committing bundled JS in your workflow:

1. Add `git_actor_name` and `git_actor_email` inputs to your workflow file.
2. These values can represent either a real GitHub user or a fictional one.
3. If using a real user, it's recommended to use the GitHub-provided email for privacy-enabled accounts.

Example:

```yaml
name: ACME Foobar JS

on: [workflow_dispatch, push, pull_request]

jobs:
run:
uses: flarum/framework/.github/workflows/[email protected]
with:
enable_prettier: true
...
git_actor_name: acme-bot
git_actor_email: [email protected]
```

### Advanced Configuration (With Branch Protection Rules)

If you also want to enforce branch protection and allow a custom actor to bypass pull requests:

1. Create a dedicated CI GitHub account with admin permissions in your organization.
2. Generate a Personal Access Token for the CI account:

- Go to [GitHub Tokens](https://github.com/settings/tokens/new) and create a new token with repo and workflow scopes.

3. Add the token as a secret in your repository.
4. Use the real CI account's username and email in your workflow.

When setting branch protection rules, make sure not to enable "Do not allow bypassing the above settings" as this would block automated commits from the CI actor.

```yml
name: ACME Foobar JS

on: [workflow_dispatch, push, pull_request]

jobs:
run:
uses: flarum/framework/.github/workflows/[email protected]
with:
enable_prettier: true
..
git_actor_name: ci-bot
git_actor_email: [email protected]

secrets:
git_actor_token: ${{ secrets.GIT_ACTOR_TOKEN }}
```

### Important Notes

- Avoid the "Do not allow bypassing the above settings" option when setting up branch protection, or your CI actor won’t be able to commit the bundled JS.
- Make sure other rules or permissions don't block the CI account from making automated commits.

## Only Build on Master

If you only want to run the workflow when commits are pushed to the `master` branch, change `on: push` to the following:
Expand Down
6 changes: 6 additions & 0 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,9 @@ inputs:
description: Set to `true` to commit all file changes, not just files in the dist JS directory.
default: 'false'
required: false
git_actor_name:
description: The name of the git actor to use for the bundled JS output.
required: false
git_actor_email:
description: The email of the git actor to use for the bundled JS output.
required: false
11 changes: 6 additions & 5 deletions src/jobs/commitChangesToGit.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,13 @@ export default async function commitChangesToGit(jp: FSJetpack): Promise<void> {
maxConcurrentProcesses: 1,
};

const gitActorName = core.getInput('git_actor_name', { required: false, trimWhitespace: true }) || 'flarum-bot';
const gitActorEmail = core.getInput('git_actor_email', { required: false, trimWhitespace: true }) || '[email protected]';

const config = {
author: {
name: 'flarum-bot',
email: '[email protected]',
name: gitActorName,
email: gitActorEmail,
},
};

Expand Down Expand Up @@ -61,11 +64,9 @@ Includes transpiled JS/TS${core.getInput('build_typings_script') !== '' ? ', and

[skip ci]`);

const token = core.getInput('github_token', { required: true, trimWhitespace: true });

debugLog(`** Pushing commit`);

await git.addRemote('upstream', `https://${process.env.GITHUB_ACTOR}:${token}@github.com/${process.env.GITHUB_REPOSITORY}.git`);
await git.addRemote('upstream', `https://github-actions:${process.env.GITHUB_TOKEN}@github.com/${process.env.GITHUB_REPOSITORY}.git`);
Comment on lines -64 to +69
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this changed because the github token parameter is no longer necessary?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The token is still necessary, but it is fetched in another way. If a workflow provides a custom git_actor_token, then that token will be used instead of the default GITHUB_TOKEN.

REUSABLE_frontend.yml:

steps:
    - name: Check out code
      uses: actions/checkout@v4
      with:
        token: ${{ secrets.git_actor_token != '' && secrets.git_actor_token || secrets.GITHUB_TOKEN }}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry I don't get it. there is no git_actor_token for this action build though, it seems like the github_token parameter is no longer used after this PR, but is still documented. Though I still can't tell if it's no longer necessary here because the new upstream link doesn't require passing a token from the origin repo:

https://${process.env.GITHUB_ACTOR}:${token}@github.com/${process.env.GITHUB_REPOSITORY}.git

vs

https://github-actions:${process.env.GITHUB_TOKEN}@github.com/${process.env.GITHUB_REPOSITORY}.git

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The github_token will continue to be used after this PR.

Let's say an extension provides the new git_actor_token secret to the REUSABLE_frontend.yml workflow of core. At https://github.com/flarum/framework/pull/4099/files#diff-8f0cab030414f9e64c7444c9011370f3435c52893686c91babdb72810568b0dcR136-R137 we are checking if that token is provided or not. If yes, the GITHUB_TOKEN will be reassigned with the value of the token provided by the extension. If not, the default GITHUB_TOKEN will be used.

About the upstream link; If I recall correctly, It didn't actually make a difference if I used ${process.env.GITHUB_ACTOR} or github-actions: for the upstream link during testing. Using github-actions: felt cleaner to me.

Does that make sense?

Copy link
Member

@SychO9 SychO9 Nov 2, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DavideIadeluca sorry but you keep linking to the part of the workflow about actions/checkout, but this is about actions/build

https://github.com/flarum/framework/pull/4099/files#diff-8f0cab030414f9e64c7444c9011370f3435c52893686c91babdb72810568b0dcR165

  1. we are still passing the same github_token, even though the changes here remove that parameter
  2. github_token is still documented in this repository as a usable parameter, but the line the comments are directed at, remove its usage.

I am still confused whether github_token the parameter for this action flarum/action-build@v4 which is this repository (not actions/checkout@v4) is still needed/can be completely removed, or why the removal is done.

I understand everything else about the git actor, just the github_token parameter is still confusing to me. As this PR leaves it in a state of documented and supplied by the fremework but not actually used by the action itself

I may be forgetting something, what's the relation between the token passed to the checkout action and this build action?

 steps:
      - name: Check out code
        uses: actions/checkout@v4
        with:
          token: ${{ secrets.git_actor_token != '' && secrets.git_actor_token || secrets.GITHUB_TOKEN }}

...

- name: JS Checks & Production Build
        uses: flarum/action-build@v4
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}


log(`${status}`);

Expand Down