chore: modify preview deployment script to work with forks #13404
Conversation
… coder/coder repo Signed-off-by: Danny Kopping <danny@coder.com>
fb5f588 to
100433f
Compare
|
Does this make it work with forks and community contributors? We are using a few repo secrets in the deployment workflow, and I am not sure if this workflow allows forks to use the secret values. |
I don't think so (at least that was not my intent), it just modified so that PRs created using forks would work. |
Signed-off-by: Danny Kopping <danny@coder.com>
| - name: Check if actor is a member | ||
| run: | | ||
| set -euo pipefail | ||
| response=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "https://api.github.com/orgs/coder/members/${{ github.actor }}") |
There was a problem hiding this comment.
Are you sure this works in each case? For example, https://api.github.com/orgs/coder/members/matifali returns
{
"message": "User does not exist or is not a public member of the organization",
"documentation_url": "https://docs.github.com/rest/orgs/members#check-public-organization-membership-for-a-user"
}There was a problem hiding this comment.
It seems like it works for private members:
$ curl -s -H "Authorization: token $(gh auth token)" "https://api.github.com/orgs/coder/members/matifali" -v
...
< HTTP/2 204
...There was a problem hiding this comment.
There was a problem hiding this comment.
Yes, all works great. I was testing without the token and always getting a 302. Thank you for adding the check.
There was a problem hiding this comment.
It would be nice to test by deploying the current PR.
There was a problem hiding this comment.
I tried that in #13280 (where I originally had this fix) but GH didn't seem to use the new workflow. Is there a timeout maybe? I'll give it a try though.
There was a problem hiding this comment.
Damn, I tried to execute this but I got:
$ ./scripts/deploy-pr.sh -d -b -y
branchName: dk/fix-preview
prNumber: 13404
experiments:
build: true
deploy: true
could not create workflow dispatch event: HTTP 422: No ref found for: dk/fix-preview (https://api.github.com/repos/coder/coder/actions/workflows/60960476/dispatches)I think the branch has to be in the main repo.
Strange that I didn't get this before, though.
There was a problem hiding this comment.
Oh, looks like I must've pushed dk/verify-agent (the branch I was testing with previously) to the main repo somehow?
There was a problem hiding this comment.
I am noticing the same issue. It's deploying the previous branch I was working on. node-20
#13404 (comment)
|
I've opened #13405 to validate. |
|
Thank you. This is a good improvement. I plan to make this flow better sometimes #11331 |
|
I tried deploying this PR but its detecting the wrong branch and PR number gh pr checkout 13404
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (2/2), done.
remote: Total 12 (delta 10), reused 12 (delta 10), pack-reused 0
Unpacking objects: 100% (12/12), 1.71 KiB | 877.00 KiB/s, done.
From https://github.com/coder/coder
* [new ref] refs/pull/13404/head -> dk/fix-preview
Switched to branch 'dk/fix-preview'
git status
On branch dk/fix-preview
nothing to commit, working tree clean
./scripts/deploy-pr.sh
Are you sure you want to deploy? (y/n) y
branchName: node-20
prNumber: 12921
experiments:
build: false
deploy: false
✓ Created workflow_dispatch event for pr-deploy.yaml at node-20
To see runs for this workflow, try: gh run list --workflow=pr-deploy.yaml |
Weird, it works for me: $ gh pr status --repo=coder/coder --json headRefName,number --jq '.createdBy[0]' | cat
{"headRefName":"dk/fix-preview","number":13404} |
|
Strangely for me but |
|
Looking into it, |
|
Can you try this @matifali? $ gh pr list --repo=coder/coder -H $(git rev-parse --abbrev-ref HEAD) --json number --jq '.[].number' | cat
13404 |
|
Alternatively we should skip the convenience and just accept a PR number as an argument. |
|
|
|
I don't trust $ gh pr status --repo=coder/coder --json headRefName,number
{"createdBy":[{"headRefName":"dk/fix-preview","number":13404},{"headRefName":"dk/verify-agent","number":13280}],"needsReview":[]}I think the script should just accept a PR as input. WDYT? |
|
@dannykopping I think as the branch is actually not on the |
Not so for me: $ gh pr status --json headRefName,number --jq '.currentBranch' | cat
|
|
$ ./scripts/deploy-pr.sh -d -n -y
dry run
branchName: dk/verify-agent
prNumber: 13280
experiments:
build: false
deploy: true
$ git co dk/fix-preview
Switched to branch 'dk/fix-preview'
$ ./scripts/deploy-pr.sh -d -n -y
dry run
branchName: dk/fix-preview
prNumber: 13404
experiments:
build: false
deploy: true |
Signed-off-by: Danny Kopping <danny@coder.com>
|
@dannykopping OK lets use |
$ ./scripts/deploy-pr.sh -d
Are you sure you want to deploy? (y/n) y
branchName: dk/fix-preview
prNumber: 13404
experiments:
build: false
deploy: true
could not create workflow dispatch event: HTTP 422: No ref found for: dk/fix-preview (https://api.github.com/repos/coder/coder/actions/workflows/60960476/dispatches)Same issue as before (not that I expected this to be fixed with this change, but worth noting). |
|
It works fine now in dry run. Can you try deploying from the fork for real? So that we can test if all secrets are accessible, too. |
Same issue for me. Can not deploy. |
|
I think we need to allow running this workflow on forks in repo settings. |
I think this is actually a good thing.
I think we'll have to close this PR. If the my branch from #13280 was not present in |
Yes we do have the protection to check for membership but that check is part of the same workflow so not safe at all. |
I maintain a fork of coder at
dannykopping/coder.When a branch exists in a fork only, the current preview deployment scripts break.
This PR modifies the script & action to reference the
coder/coderrepo explicitly for the PR.I also changed to
pr statusbecausepr viewdoes not work with--repo.