flatpak-external-data-checker icon indicating copy to clipboard operation
flatpak-external-data-checker copied to clipboard
verified publisher icon flathub-infra

Improve custom workflow documentation and add an example

Open vchernin opened this issue 3 years ago • 10 comments

This adds an example in case wanting f-e-d-c to fork a repository to make PRs.

vchernin avatar Aug 05 '22 04:08 vchernin

Hmm, in what case one would want to push updates through a fork of a repo?

gasinvein avatar Aug 05 '22 08:08 gasinvein

The original use case was that the Endless instance of this bot did not have write access to the Flathub repos it monitored. But that use case is long gone!

wjt avatar Aug 05 '22 08:08 wjt

Hmm, in what case one would want to push updates through a fork of a repo?

As mentioned in the suggested README:

This may be preferred if you do not want the tool to have direct push access to the canonical repository.

I mostly wanted this since some repos may not want to give bots push access to their real repo. If the bot only has the ability to push to a fork and make PRs (like a normal user on GitHub would), it avoids bad things being pushed to the repo in case the bot was compromised or buggy.

vchernin avatar Aug 05 '22 14:08 vchernin

Hmm, in what case one would want to push updates through a fork of a repo?

As mentioned in the suggested README:

This may be preferred if you do not want the tool to have direct push access to the canonical repository.

Well, I believe this was intended for local or otherwise external f-e-d-c runs. If it's running from a GH workflow, I fail to understand why create a fork. Besides, a fork forces you to use a PAT, which are worse than automatic GITHUB_TOKENs from the security standpoint, since automatic tokens, as far as I'm aware, are one-time use, thus leaking them is less severe.

I mostly wanted this since some repos may not want to give bots push access to their real repo. If the bot only has the ability to push to a fork and make PRs (like a normal user on GitHub would), it avoids bad things being pushed to the repo in case the bot was compromised or buggy.

What's the bot in this case? If you mean the flathubbot, it has access to all flathub app repos anyway. And if it's a GH workflow in a non-flathub repo, then it's controlled by the repo owner anyway.

gasinvein avatar Aug 05 '22 15:08 gasinvein

Besides, a fork forces you to use a PAT, which are worse than automatic GITHUB_TOKENs from the security standpoint, since automatic tokens, as far as I'm aware, are one-time use, thus leaking them is less severe.

Yes the automatic GITHUB_TOKENs are one time use and certainly more ideal over a permanent one. But there is still a use case for using a PAT for a seperate user…

What's the bot in this case? If you mean the flathubbot, it has access to all flathub app repos anyway. And if it's a GH workflow in a non-flathub repo, then it's controlled by the repo owner anyway.

The use case I had in mind was to create a dummy bot user, for a non Flathub repo.

Yes the workflow is controlled by the repo owner, but that doesn’t prevent f-e-d-c or any other tool in the workflows from one day updating and being buggy, or other otherwise misusing their permission. By forcing the tool to push to a fork, it cannot change anything in the real repo without a reviewer accepting a PR from the bot user.

Giving permanent access to the PAT of a whole user is not ideal, but if the PAT is leaked the consequences are in my opinion not as severe compared to giving bots push access, as it is only a dummy bot user. It never had write access to anything but its own forked repo. Of course, that is only if users are following the recommendation to not use the dummy user for anything important.

Perhaps something like a GitHub app that can be added to the repo would serve this use case better than a PAT, but I’m not really familiar with how they work.

vchernin avatar Aug 05 '22 15:08 vchernin

Well, I guess someone may want such setup for some reason, but it's certainly something way too unusual to be worth adding to the readme, especially with a full-blown example workflow manifest. It will only add confusion.

gasinvein avatar Aug 05 '22 15:08 gasinvein

It will only add confusion.

Yeah this is inevitable with adding more examples. What do you think of splitting these workflows, perhaps putting this new one in a separate file, and then adding something like:

If you want to see some non-standard ways of configuring the workflow go to WORKFLOW_EXAMPLES.md.

below the original example in the main readme?

but it's certainly something way too unusual to be worth adding to the readme, especially with a full-blown example workflow manifest.

I still think it is somewhat useful to document given --always-fork exists and some of the configuration (namely persist-credentials: false) isn't easy to figure out if you don’t know what to look for.

vchernin avatar Aug 05 '22 15:08 vchernin

Honestly, I think it's not worth documenting with example at all. People doing something this uncommon probably either shouldn't need any examples, or shouldn't be doing it. So, I believe mentioning the --always-fork option and describing what it does should be enough.

gasinvein avatar Aug 05 '22 16:08 gasinvein

So, I believe mentioning the --always-fork option and describing what it does should be enough

By this you mean adding an additional line about --always-fork in the custom workflow section of the readme?

vchernin avatar Aug 05 '22 16:08 vchernin

So, I believe mentioning the --always-fork option and describing what it does should be enough

By this you mean adding an additional line about --always-fork in the custom workflow section of the readme?

Yes, I think this should be enough for this option.

gasinvein avatar Aug 05 '22 20:08 gasinvein