Mirror-Tools
/
shaka-packager
mirror of https://github.com/shaka-project/shaka-packager.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make CI workflows safe when testing in a fork 

Testing CI workflows is a pain.  This usually involves forking the
main repo and testing various operations there, where the results will
not break the main repo.

However, some things like NPM and Docker package names were initially
hard-coded.  This meant that a fork would need to customize those in
the workflows to avoid pushing official-looking packages during CI
testing.

This change moves those hard-coded names to GitHub Secrets.  Though
the names are not actually secret, the secret store is per-repo, and
will be independent in a fork.  This makes it easier to avoid
accidentally pushing official-looking releases during testing, even if
the fork has access to the same auth tokens.

Change-Id: Ide8f7aa92a028dd217200fca60881333bf8ae579
This commit is contained in:
Joey Parrish 2021-06-17 13:36:56 -07:00
parent a2e07a901e
commit acafc0fd93
5 changed files with 21 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/README.md vendored
View File

@ -33,10 +33,16 @@
- `DOCKERHUB_CI_USERNAME`: The username of the Docker Hub CI account
- `DOCKERHUB_CI_TOKEN`: An access token for Docker Hub
- To generate, visit https://hub.docker.com/settings/security
- `DOCKERHUB_PACKAGE_NAME`: Not a true "secret", but stored here to avoid
someone pushing bogus packages to Docker Hub during CI testing from a fork
- In a fork, set to a private name which differs from the production one
- `NPM_CI_TOKEN`: An "Automation"-type access token for NPM for the `shaka-bot`
account
- To generate, visit https://www.npmjs.com/settings/shaka-bot/tokens and
select the "Automation" type
- `NPM_PACKAGE_NAME`: Not a true "secret", but stored here to avoid someone
pushing bogus packages to NPM during CI testing from a fork
- In a fork, set to a private name which differs from the production one
- `SHAKA_BOT_TOKEN`: A GitHub personal access token for the `shaka-bot`
account, with `workflow` scope
- To generate, visit https://github.com/settings/tokens/new and select the

2
.github/workflows/docker_hub_release.yaml vendored
View File

@ -44,4 +44,4 @@ jobs:
with:
push: true
context: src/
tags: google/shaka-packager:latest,google/shaka-packager:${{ env.TARGET_REF }}
tags: ${{ secrets.DOCKERHUB_PACKAGE_NAME }}:latest,${{ secrets.DOCKERHUB_PACKAGE_NAME }}:${{ env.TARGET_REF }}

7
.github/workflows/npm_release.yaml vendored
View File

@ -38,10 +38,12 @@ jobs:
with:
node-version: 10
- name: Set package version
- name: Set package name and version
run: |
cd src/npm
npm version ${{ env.TARGET_REF }}
sed package.json -i \
-e 's/"name": ""/"name": "${{ secrets.NPM_PACKAGE_NAME }}"/' \
-e 's/"version": ""/"version": "${{ env.TARGET_REF }}"/'
- name: Publish NPM package
uses: JS-DevTools/npm-publish@v1
@ -49,3 +51,4 @@ jobs:
token: ${{ secrets.NPM_CI_TOKEN }}
package: src/npm/package.json
check-version: false
access: public

2
npm/package.json
View File

@ -1,5 +1,5 @@
{
"name": "shaka-packager",
"name": "",
"description": "A media packaging tool and SDK.",
"version": "",
"homepage": "https://github.com/google/shaka-packager",

11
npm/prepublish.js
View File

@ -16,8 +16,13 @@ var commandNames = {
var package = require(path.resolve(__dirname, 'package.json'));
console.log('Preparing Shaka Packager v' + package.version);
// Calculate the repo name. In GitHub Actions context, this will pull binaries
// correctly from a fork. When run by hand, it will default to the official
// repo.
var repo = process.env.GITHUB_REPOSITORY || 'google/shaka-packager';
// For fetching binaries from GitHub:
var urlBase = 'https://github.com/google/shaka-packager/releases/download/v' +
var urlBase = 'https://github.com/' + repo + '/releases/download/v' +
package.version + '/';
// For spawning curl subprocesses:
@ -49,11 +54,11 @@ for (var platform in commandNames) {
// Fetch LICENSE and README files from the same tag, and include them in the
// package.
var licenseUrl = 'https://raw.githubusercontent.com/google/shaka-packager/' +
var licenseUrl = 'https://raw.githubusercontent.com/' + repo + '/' +
'v' + package.version + '/LICENSE';
download(licenseUrl, 'LICENSE');
var readmeUrl = 'https://raw.githubusercontent.com/google/shaka-packager/' +
var readmeUrl = 'https://raw.githubusercontent.com/' + repo + '/' +
'v' + package.version + '/README.md';
download(readmeUrl, 'README.md');