SmartTube icon indicating copy to clipboard operation
SmartTube copied to clipboard
verified publisher icon yuliskov

Add CI

Open sagudev opened this issue 3 weeks ago • 5 comments

sagudev avatar Dec 02 '25 05:12 sagudev

Thanks for the pull request, but I'm afraid this CI will eat the most action limits (since I used to push commits too often). I need them for the VirusTotal workflow.

yuliskov avatar Dec 04 '25 00:12 yuliskov

Thanks for the pull request, but I'm afraid this CI will eat the most action limits (since I used to push commits too often). I need them for the VirusTotal workflow.

What limits? Public repos have unlimited action minutes, they are just limited with concurrency: https://docs.github.com/en/billing/concepts/product-billing/github-actions#free-use-of-github-actions (read the end of paragraph) and https://docs.github.com/en/actions/reference/limits#job-concurrency-limits-for-github-hosted-runners.

sagudev avatar Dec 04 '25 04:12 sagudev

The doc says 2000 minutes per month

Regards, Yuriy

On Thu, Dec 4, 2025, 06:13 Sam @.***> wrote:

sagudev left a comment (yuliskov/SmartTube#5155) https://github.com/yuliskov/SmartTube/pull/5155#issuecomment-3610004807

Thanks for the pull request, but I'm afraid this CI will eat the most action limits (since I used to push commits too often). I need them for the VirusTotal workflow.

What limits? Public repos have unlimited action minutes, they are just limited with concurrency: https://docs.github.com/en/billing/concepts/product-billing/github-actions#free-use-of-github-actions (read the end of paragraph) and https://docs.github.com/en/actions/reference/limits#job-concurrency-limits-for-github-hosted-runners .

— Reply to this email directly, view it on GitHub https://github.com/yuliskov/SmartTube/pull/5155#issuecomment-3610004807, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABM7Z6FMNVASYL4NOD4ZO2L376YE7AVCNFSM6AAAAACNYD3436VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTMMJQGAYDIOBQG4 . You are receiving this because you commented.Message ID: @.***>

yuliskov avatar Dec 04 '25 04:12 yuliskov

The doc says 2000 minutes per month

This is for private repos, not public (see the end of paragraph). Although I admit they worded weirdly on their page. See also https://github.com/orgs/community/discussions/70492 for clarification.

If you do not believe me or docs you can just try and see you do not use any minutes. Here is mine: slika and I run CI in many (public) repos.

sagudev avatar Dec 04 '25 05:12 sagudev

The doc says 2000 minutes per month Regards, Yuriy

@yuliskov @

Hi Yuriy, I double-checked GitHub's pricing and limits:

  • Public repos get unlimited minutes on standard GitHub-hosted runners, so CI runs won't eat into a 2000 minute cap.

  • What is limited is concurrency: free plan supports up to 20 concurrent jobs. GitHub Docs

In other words, we can safely run CI on this public repo without worrying about running out of minutes. If queueing becomes an issue, we can tweak workflows by avoiding parallel jobs or request a concurrency increase.

I see no issues in adding this CI. I'd gladly help with any issues.

Just for testing I've added a release.yml CI and tested on my fork

The workflow: https://github.com/ManuLinares/SmartTube/blob/pr-5155/.github/workflows/release.yml I when i "draft a new release", it created this: https://github.com/ManuLinares/SmartTube/releases/tag/30.59

ManuLinares avatar Dec 07 '25 23:12 ManuLinares

I'll merge this later. Need to handle the main things right now.

yuliskov avatar Dec 13 '25 06:12 yuliskov

I don't think the logic adds up. This should be low hanging fruit, and a priority given the recent events, unless I'm missing something.

WichoGZF avatar Dec 13 '25 15:12 WichoGZF

I don't think the logic adds up. This should be low hanging fruit, and a priority given the recent events, unless I'm missing something.

This PR will not fix the security problem, but it should lay some groundwork for making signed builds in CI, which if done correctly can be more secure.

With that being said I do not think this is really low hanging fruit as CI is hard to get it right and secure.

It is unusual to close PR with plan to merge this later, as it can be forgotten, but each person has it's own workflow.

sagudev avatar Dec 13 '25 16:12 sagudev

I don't think the logic adds up. This should be low hanging fruit, and a priority given the recent events, unless I'm missing something.

This PR will not fix the security problem, but it should lay some groundwork for making signed builds in CI, which if done correctly can be more secure.

With that being said I do not think this is really low hanging fruit as CI is hard to get it right and secure.

It is unusual to close PR with plan to merge this later, as it can be forgotten, but each person has it's own workflow.

I suppose you're right. Though I meant it as in, this PR is low hanging fruit, given it works.

Admittedly I'm not that acquainted with GHA pipelines sec. But it just seems odd to me that this would be closed, given the actual alternative is making builds in the developer's hardware, which caused the compromise in the first place.

WichoGZF avatar Dec 13 '25 16:12 WichoGZF

@WichoGZF this ci just tests the code can be compile. It do not create any real build so anyone can use. Given this this I think your point incorrect but I can reenable it if you're asking.

yuliskov avatar Dec 13 '25 18:12 yuliskov

This PR does actually create (unsigned) apks available for download, but as action artifacts not as release.

sagudev avatar Dec 13 '25 18:12 sagudev

An action can create a release. https://github.com/marketplace/actions/create-a-release-in-a-github-action It could be a manual action done when needed. But then the signing needs to be figured out.

rvk01 avatar Dec 13 '25 19:12 rvk01

ok. merged, guys

yuliskov avatar Dec 13 '25 19:12 yuliskov

Thank you yuliskov and sagudev!

dinho1903 avatar Dec 13 '25 21:12 dinho1903