docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon github

restrict how the azure-preview-env-deploy.yml workflow runs

Open jsoref opened this issue 3 years ago • 5 comments

Code of Conduct

What article on docs.github.com is affected?

This isn't specific to any particular article.

What changes are you suggesting?

This workflow: https://github.com/github/docs/blob/main/.github/workflows/azure-preview-env-deploy.yml (and quite possibly others) should be changed so that it checks to see if it has enough secrets to run in the repository in which it's running, and if not, quit gracefully.

(Alternatively, it could only run if the repository is github/docs or the internal repository...)

Additional information

There was a user who tried to make a pull request into their own fork of github/docs, and the results were not good

image https://github.com/jaystyles/docs/runs/6728372344?check_suite_focus=true https://github.com/jaystyles/docs/runs/6729214425?check_suite_focus=true ... https://github.com/jaystyles/docs/runs/6753841425?check_suite_focus=true ... image https://github.com/jaystyles/docs/runs/6771319636?check_suite_focus=true https://github.com/jaystyles/docs/runs/6771735158?check_suite_focus=true https://github.com/jaystyles/docs/runs/6775149948?check_suite_focus=true ... image https://github.com/jaystyles/docs/runs/6787590305?check_suite_focus=true ...

jsoref avatar Jul 14 '22 23:07 jsoref

@jsoref Thanks so much for opening an issue! I'll triage this for the team to take a look :eyes:

cmwilson21 avatar Jul 15 '22 15:07 cmwilson21

I'm moving this from the content review board to the engineering review board.

skedwards88 avatar Oct 24 '22 22:10 skedwards88

@jsoref thanks for reporting this. I've opened an internal issue with this bug report.

rachmari avatar Nov 04 '22 22:11 rachmari

@jsoref can you provide additional details about the failures you're seeing. A PR reference would help. The azure-preview-env-deploy.yml workflow does have sufficient secret access to deploy on forks of github/docs. If there are failures, there may be another reason.

rachmari avatar Nov 15 '22 18:11 rachmari

@rachmari: https://github.com/jsoref/github-docs/actions/runs/2794120405

jsoref avatar Nov 15 '22 19:11 jsoref

Grumble

jsoref avatar Jan 22 '23 16:01 jsoref

@jsoref sorry for not circling back around to this sooner. We took a look at this as a team and we think that this is part of an issue we're tracking where an intermittent issue with Azure creates a failed workflow run. This doesn't happen in a repeatable way but the workaround for this is to close the pull request and reopen it. The workflow does have the proper credentials needed to run the workflow in a fork of github/docs.

I'm sorry that you ran into this issue.

rachmari avatar Jan 25 '23 19:01 rachmari

@rachmari: you can trivially reproduce this by fork this repository, enabling actions, and then updating the repository.

The way to fix this is to have some code that looks for secrets and then does things if they have the secret...

One fancy example of this is here: https://github.com/commercialhaskell/stack/blob/557174b57aaf8a78b6a88ba79c1d5fc30e87a4c1/.github/workflows/integration-tests.yml#L150-L173 https://github.com/commercialhaskell/stack/blob/557174b57aaf8a78b6a88ba79c1d5fc30e87a4c1/.github/workflows/integration-tests.yml#L239-L240

I'm happy to write work for this, but I wouldn't w/o people expressing a willingness to accept a PR...

jsoref avatar Jan 25 '23 19:01 jsoref

@jsoref sorry, I may be missing something. GitHub Actions are enabled by default when you create a fork of github/docs. When I create a pull request all of the workflow run as expected and have the permissions they need, because the credentials needed are stored in the github/docs repo, not your fork. The Azure Preview deploy workflow only runs when you are creating a pull request against the github/docs repo, otherwise it is skipped entirely. See this line here: https://github.com/github/docs/blob/main/.github/workflows/azure-preview-env-deploy.yml#L53

Have you tried reproducing your steps with the most up-to-date code in github/docs? I'm wondering if you're referencing old code that didn't use to perform this check.

rachmari avatar Jan 25 '23 22:01 rachmari

I create PRs into my forks of this repo, not just into github/docs.

jsoref avatar Jan 25 '23 22:01 jsoref

Anyway, here you can see all the times it has run in one of my forks: https://github.com/jsoref/github-docs/actions/workflows/azure-preview-env-deploy.yml

jsoref avatar Jan 25 '23 22:01 jsoref

Looks like this may have been fixed by https://github.com/github/docs/commit/7b4429418b8d824dd64e1f9d681c0e96cd5854d2 which was clearly a long time after this issue was opened.

jsoref avatar Jan 25 '23 22:01 jsoref

@jsoref sorry for the confusion. I didn't start looking into this issue until after the fix was put in place, which is why we couldn't reproduce this.

It sounds like this issue should be resolved on your end as long as you update your fork with github/docs.

rachmari avatar Jan 31 '23 19:01 rachmari

No worries. I'm used to things not being fixed until I fix them.

jsoref avatar Jan 31 '23 19:01 jsoref