-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate and use token from GH App #114
Conversation
👋 Thanks for opening this PR! The site will be automatically built with GitHub Actions. To see the status of your deployment, click below. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds like a reasonable and safe way to test this PAT method. Thanks Drew
@ProjectPythia/infrastructure if a second reviewer wants to sign off on this please do, else I'll plan to merge at the end of the day today so we can try out the workflows for getting cookbooks added to the gallery later this week. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't claim to understand how this all works, but the idea seems sound I think you should go ahead with the testing @dcamron!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ugh, I really wish GitHub would make an easier official way to deal with this.
We currently rely on individual users' Personal Access Tokens (PATs) in place of the default
GITHUB_TOKEN
for our workflows that submit PRs that themselves kick off additional workflows (a documented limitation ofGITHUB_TOKEN
.) PATs can be somewhat flimsy and risky, especially as collaborators come and go, and requires individuals to task themselves with generating and updating these secrets.Owners can see in the Pythia Organization settings that I've created a new
Pythia PR Machine
Github App. This app has the appropriate (and limited) access to our org and this repo to generate tokens that should work for these workflows. The app must be installed to the particular repo where the token is needed, and appropriate app secrets must be provisioned in the settings. If this works as intended, I'll document that process for other org owners.I haven't recreated the machinery elsewhere to test this elsewhere; I figure we review and merge this, and we can test this as part of submitting
gridding-cookbook
to the gallery.