OpenImageIO icon indicating copy to clipboard operation
OpenImageIO copied to clipboard
verified publisher icon AcademySoftwareFoundation

ci: Automatically push updates to stubs to the current branch

Open chadrik opened this issue 9 months ago • 5 comments

Description

This simplifies developer workflow by automatically pushing freshly built stubs to the current branch for review.

Tests

Checklist:

  • [x] I have read the contribution guidelines.
  • [ ] I have updated the documentation, if applicable. (Check if there is no need to update the documentation, for example if this is a bug fix that doesn't change the API.)
  • [ ] I have ensured that the change is tested somewhere in the testsuite (adding new test cases if necessary).
  • [ ] If I added or modified a C++ API call, I have also amended the corresponding Python bindings (and if altering ImageBufAlgo functions, also exposed the new functionality as oiiotool options).
  • [x] My code follows the prevailing code style of this project. If I haven't already run clang-format before submitting, I definitely will look at the CI test that runs clang-format and fix anything that it highlights as being nonconforming.

chadrik avatar Jun 14 '25 04:06 chadrik

I'm not sure I understand the security implications of this approach.

lgritz avatar Jun 14 '25 05:06 lgritz

I'm not sure I understand the security implications of this approach.

I'm not totally sure either, tbh. Once I get it working I'll explore finer grained permissions, unless you'd like me to stop.

This approach was inspired by some feedback from @zachlewis over at https://github.com/AcademySoftwareFoundation/OpenColorIO/pull/2162#issuecomment-2970617821

I don't have permissions to run any CI in that repo, so I thought I'd test it out here.

chadrik avatar Jun 14 '25 15:06 chadrik

Status update.

My goal is to push updates to the pull request branch in my fork.

I got pretty close to making this work, but I think I've reached an impasse.

First, I configured the checkout action to pull from my origin and checkout my branch (the default behavior fetches the forked source in a way that hides the fork url and branch name).

I'm using https://github.com/stefanzweifel/git-auto-commit-action action to auto-commit-and-push changes, and it's doing what I expect -- pushing to my fork and branch -- but it fails with a permissions issue:

remote: Permission to chadrik/oiio.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/chadrik/oiio/': The requested URL returned error: 403

The PR is set to allow pushes from maintainers, but apparently the actions bot does not count. I'm not sure how to get past this, but it might require me to setup a personal access token, which would make this workflow prohibitively cumbersome.

Some alternatives to pursue:

  • use pull_request_target trigger instead of pull_request. This runs with the full perms of the base repo, but it's considered a major security threat. More info here
  • Use autofix-ci. This seems designed to solve exactly this problem and it's free for open source projects.

chadrik avatar Jun 15 '25 04:06 chadrik

@chadrik, I'm still a little nervous about a fully automatic push to the PR author's branch (50% - will they not like that; 50% - is there any way somebody can abuse it to push things to our own repo before a merge?). But in this Slack conversation, @JeanChristopheMorinPerso outlines a way where, after a PR fails for this particular reason, we could add a tag that would run a special "fix stubs" workflow that would do the fix, push the branch to the author to amend the PR, and then remove the tag.

Not sure how you feel about that approach, or if you fully understand how to do it (I get it conceptually but would probably have to do a lot of documentation reading and trial-and-error to know how to implement it, because I'm a workflow newbie), but it feels to me like it's inherently safer to require that minor manual step to kick off the fixing and pushing, rather than it being completely automatic and irreversible simply upon receipt of the PR.

OTOH, if @JeanChristopheMorinPerso is not concerned about the security of the "automatic" approach (he both knows more than me about this and seems pretty conservative about it), then I guess I'm willing to go along with that if nobody voices a concern.

lgritz avatar Jun 19 '25 00:06 lgritz

I'm using https://github.com/stefanzweifel/git-auto-commit-action action to auto-commit-and-push changes, and it's doing what I expect -- pushing to my fork and branch -- but it fails with a permissions issue:

remote: Permission to chadrik/oiio.git denied to github-actions[bot].
fatal: unable to access 'https://github.com/chadrik/oiio/': The requested URL returned error: 403

The PR is set to allow pushes from maintainers, but apparently the actions bot does not count. I'm not sure how to get past this, but it might require me to setup a personal access token, which would make this workflow prohibitively cumbersome.

Yes. The GHA token has relatively limited permissions and it can't impersonate you. One way to solve this is to use a PAT like you said. Another way is to create an app, grant it appropriate permissions and I think that would remove some maintenance burden (since the app token would never expire, as opposed to a PAT). But that requires the use of pull_request_target.

JeanChristopheMorinPerso avatar Jun 20 '25 02:06 JeanChristopheMorinPerso