test-infra icon indicating copy to clipboard operation
test-infra copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

Run `hook` as a GitHub action

Open BobyMCbobs opened this issue 3 years ago • 13 comments

What would you like to be added: support for Hook to be run as a GitHub action

Why is this needed: CNCF projects need Prow features without the complexity of Prow

ii is doing some POC'ing over here

  • https://github.com/cncf-infra/prow-github-action
  • https://github.com/cncf-infra/mock-project-repo

/cc @hh @Riaankl @RobertKielty /assign @BobyMCbobs @hh @Riaankl @RobertKielty

BobyMCbobs avatar Aug 16 '22 23:08 BobyMCbobs

/sig k8s-infra

Update: this is wrong! Where does it belong? @hh

BobyMCbobs avatar Aug 16 '22 23:08 BobyMCbobs

/unsig k8s-infra

BobyMCbobs avatar Aug 16 '22 23:08 BobyMCbobs

/sig nil

BobyMCbobs avatar Aug 16 '22 23:08 BobyMCbobs

@BobyMCbobs: The label(s) sig/nil cannot be applied, because the repository doesn't have them.

In response to this:

/sig nil

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Aug 16 '22 23:08 k8s-ci-robot

Plan of action:

  • build out a implementation of hook/server.go
  • given /github/workflow/event.json and sufficient auth, create a http server using httptest and call the endpoint

Thoughts @hh?

BobyMCbobs avatar Aug 17 '22 00:08 BobyMCbobs

I like this

hh avatar Aug 17 '22 00:08 hh

httptest would get the plumbing up the quickest I think.

Alternatively we could create prow/cmd/pga as a rewrite of demuxEvent() that reads the payload from GITHUB_EVENT_PATH and directly switches on GITUB_EVENT_NAME calling the appropriate handleFOOEvent()

From https://docs.github.com/en/github-ae@latest/actions/learn-github-actions/environment-variables#default-environment-variables :

GITHUB_EVENT_NAME The name of the event that triggered the workflow. For example, workflow_dispatch. GITHUB_EVENT_PATH The path to the file on the runner that contains the full event webhook payload. For example, /github/workflow/event.json.

Lift the case statement from demuxEvent() as prow/cmd/pga as the action: https://github.com/kubernetes/test-infra/blob/master/prow/hook/server.go#L91-L176

hh avatar Aug 17 '22 01:08 hh

GITHUB_TOKEN permissions in pull requests

  • From https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#pull_request_target

This event runs in the context of the base of the pull request, rather than in the context of the merge commit, as the pull_request event does. This prevents execution of unsafe code from the head of the pull request that could alter your repository or steal any secrets you use in your workflow. This event allows your workflow to do things like label or comment on pull requests from forks. Avoid using this event if you need to build or run code from the pull request. Warning: For workflows that are triggered by the pull_request_target event, the GITHUB_TOKEN is granted read/write repository permission unless the permissions key is specified and the workflow can access secrets, even when it is triggered from a fork.

Startup Time

Can we streamline to quickly and directly call the event handlers rather than starting up a web server?

API Limits

  • From https://docs.github.com/en/actions/learn-github-actions/usage-limits-billing-and-administration#usage-limits :

API requests - You can execute up to 1000 API requests in an hour across all actions within a repository. If exceeded, additional API calls will fail, which might cause jobs to fail.

hh avatar Aug 17 '22 01:08 hh

/sig testing

palnabarun avatar Aug 17 '22 04:08 palnabarun

Startup Time Can we streamline to quickly and directly call the event handlers rather than starting up a web server?

Sounds good to me I will take a look.

RobertKielty avatar Aug 17 '22 20:08 RobertKielty

Had an offline chat with @hh, and posting what we had discussed here for visibility:

Overall I think this is an interesting idea, I’m not seeing any obvious blocker yet other than a few thoughts:

  • Prowjobs related plugins will not be supported and I guess that’s expected right?

[hh] No prowjobs at this time. Long term, we might look into creating something that suggests PRs to create GHA in .github/workflows/ for repos similar to configured prow job definitions.

  • I’m not entirely sure how GitHub webhook would work in GitHub actions, if it’s free then it would be awesome.

[hh] It would be free We are working with GitHub to allow all CNCF projects to join our GitHub enterprise account and get much higher free limits

  • In terms of configurations, would it be easier for the plugin config either be stored in repo such as .prow/plugin.yaml or as action param?

[hh] I think we'd like it to have a working default config that could be overwritten with either of those options.

chaodaiG avatar Aug 19 '22 14:08 chaodaiG

I'm excited that a project should only need to add a single ~/.github/workflows/prow-hook-handler.yaml file to each repo and no other configuration to use most of the prow plugins.

  • https://github.com/kubernetes/test-infra/tree/master/prow/plugins

Particularly the ones with repo and GitHub-only interactions (only needing GITHUB_TOKEN) and not prow-jobs or external services (other secrets).

We'll have to see how quickly we approach the unchangeable limit of up to 1000 API requests in an hour across all actions within a repository and notify the project somehow when we get close / hit this limits and find a path forward for projects as they grow.

/cc @onlydole @carolynvs @parispittman

hh avatar Aug 20 '22 14:08 hh

Conversations about Community Infrastructure, including the desire of prow beyond Kubernetes from @carolynvs on the TAG Contributor Strategy Livestream: https://youtu.be/Ei2Q5q1DPPA?t=1070

hh avatar Aug 20 '22 15:08 hh

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Nov 18 '22 16:11 k8s-triage-robot

/remove-lifecycle stale

hh avatar Nov 18 '22 16:11 hh

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Feb 16 '23 16:02 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

k8s-triage-robot avatar Mar 18 '23 16:03 k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

k8s-triage-robot avatar Apr 17 '23 17:04 k8s-triage-robot

@k8s-triage-robot: Closing this issue, marking it as "Not Planned".

In response to this:

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Reopen this issue with /reopen
  • Mark this issue as fresh with /remove-lifecycle rotten
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/close not-planned

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Apr 17 '23 17:04 k8s-ci-robot