Trigger docs build on folder changes#7360
Conversation
This should trigger a build on decidim/documentation.
b7e7f2b to
0501ef5
Compare
.github/workflows/on_docs_update.yml
Outdated
| - name: Send dispatch for trigger_build workflow | ||
| run: | | ||
| curl --request POST \ | ||
| --user "decidim-bot:${{ secrets.DOCKER_WORKFLOW_PAT }}" \ |
There was a problem hiding this comment.
@oliverbarnes hi! I'm trying to trigger a workflow from this repo to decidim/documentation, but I suspect I'm sending something wrong. Specially in this line, should I create a new PAT for the decidim-bot user? Can you give me a help with that?
Thanks!
There was a problem hiding this comment.
Sorry, I missed the notification for this message somehow :/ That's right, decidim-bot needs a PAT saved as a secret (DOCS_GEN_WORKFLOW perhaps?) on decidim/documentation. And it also needs to be have access to the repo - I've gone ahead and given it just now.
I don't have decidim-bot's credentials in order to generate its PAT, though. @andreslucena does
BTW, Andrés - I think you might have created the original DOCKER_WORKFLOW_PAT under your own user, since decidim-bot doesn't have access to decidim/docker, and the workflow dispatch still works with it 🤔 😄
There was a problem hiding this comment.
decidim-botneeds a PAT saved as a secret
I've created and send it privately to @mrcasals
on decidim/documentation.
PATs belong to the user AFAIK
I've gone ahead and given it just now.
I've removed and added it to the group that belongs (developers) as it's easier to manage groups vs users (at least for me) --- maybe with decidim-bot as it's special it'd be better to have it configured to the repostiories that it need access?
BTW, Andrés - I think you might have created the original DOCKER_WORKFLOW_PAT under your own user, since decidim-bot doesn't have access to decidim/docker, and the workflow dispatch still works with it thinking smile
PAT belongs to the user settings account https://github.com/settings/tokens - in the decidim-bot account we have these:
- Documentation generator action
- Crowdin Decidim.org
- Container Registry
- Docker Workflow
- Crowdin
decidim-bot belongs to developers group: https://github.com/orgs/decidim/teams/developers/members
developers group has read access to docker repository: https://github.com/orgs/decidim/teams/developers/repositories
I think with read access should work in this case also, as I'm seeing that with that:
Can read and clone this repository. Can also open and comment on issues and pull requests.
Maybe it don't need read access and just with the PAT is enough, as we're always working with public repositories, but I'm not sure.
There was a problem hiding this comment.
Yes, Personal Access Token belongs to a user :) and that user needs to have access to the repo for a secret created with their PAT to work. If decidim-bot is now part of a group with global access to the Decidim repos, its PAT should work wherever it's added as a secret now. Agree it makes more sense to manage it in a group. Not sure that should be developers or maintainers though - I think it needs more than read access.
My asking about whether you created the PAT under your own personal account came from not seeing decidim-bot inside any of the decidim/docker groups or users, but still the DOCKER_WORKFLOW_PAT seemed to be working there. Only way I could see for that to be the case would be for it to have been created under your own user.
There was a problem hiding this comment.
I think it needs more than read access
You're right!! I thought that with read access was enough but there was an error saying that it needs admin rights... So we're back to were we where (with decidim-bot with admin rights in the repo 😅)
My asking about whether you created the PAT under your own personal account came from not seeing decidim-bot inside any of the decidim/docker groups or users, but still the DOCKER_WORKFLOW_PAT seemed to be working there. Only way I could see for that to be the case would be for it to have been created under your own user.
Yes, that's weird actually.... I think it could be because packages permissions aren't in the repository, only in the organization or something like that: the PAT has permissions to write: packages but we don't configure this rule of allowing the package <-> repository write and publish to this user/group nowhere 🤷🏽
There was a problem hiding this comment.
Ahh, that could be. The registry is indeed its own thing at the org level
.github/workflows/on_docs_update.yml
Outdated
| trigger_docker_build: | ||
| name: Trigger decidim/documentation build | ||
| runs-on: ubuntu-latest | ||
| if: "github.ref == 'refs/heads/chore/trigger-docs-build'" |
There was a problem hiding this comment.
Change this before merging!
|
@oliverbarnes I keep getting this message:
Any idea what's going on? @andreslucena says @decidim-bot is an admin in the documentation repo :( |
I do see it with admin rights there 🤔 I'm wondering if the PAT has enough permissions - does it have the same permissions as the PAT for DOCKER_WORKFLOW_PAT, @andreslucena? I suggest giving @mrcasals access to decidim-bot creds, since he's a maintainer, so he can tweak its PATs permissions. It'll be a lot quicker this way |
|
Looking at the builds just now, the dispatch seems to be sent successfully? https://github.com/decidim/decidim/actions/workflows/on_docs_update.yml |
|
@oliverbarnes nope, the logs say otherwise:
Also, there's no new commit in the master branch of the deocumentation repo! |
|
My bad, didn't expand the log entry nor check for a new commit. It'd be better if the step would fail in these cases, though. I'm off today and tomorrow morning, but will look into how to make it exit in this scenario when I'm back |
I've reviewed it... You were right as usual 😉 - It didn't have the permissions, I've fixed that
I sent them to @mrcasals so I'm not a bottleneck for these tries |
|
@andreslucena @oliverbarnes it looks like after the latest changes, the workflow is working fine! Here's the commit that was created after the workflow triggered by the commit 0092e09 in this branch: Yay!! |
|
🎉 awesome! And next time we need to setup a workflow like this, it should be easier |
* develop: (25 commits) Add css selectors to emails to improve design customization (#7493) Only share tokens if component exists (#7499) Fix record encryptor hash values JSON parsing for legacy unencrypted hash values (#7494) Fix NULL error with weight field in assemblies & processes (#7486) Fix proposals to budget import (#7449) Fix cost display on proposals (#7450) Fix #7487 - Invalid signature on message decryption (#7488) New Crowdin updates (#7482) Move specs file to correct folder (#7476) Improve changelog generator (#7475) New Crowdin updates (#7472) Prepare 0.25-dev version (#7473) New Crowdin updates (#7470) New Crowdin updates (#7468) Feature proposal infinite edit time (#7406) New Crowdin updates (#7457) Trigger docs build on folder changes (#7360) Add changelog generator based on PR data (#7461) Add Votings to Open Data export (#7388) Add order in not highlighted assemblies by weight (#7444) ...
🎩 What? Why?
This PR adds a workflow to trigger a build on https://github.com/decidim/documentation/ every time there are changes in the
docsfolder here. This should only be triggered in the main branch.The workflow was successfully triggered by 0092e09, which created decidim/documentation@3e11e45 on the documentation repo.
📌 Related Issues
decidim/documentation#43
Testing
Nothing.