From acafc0fd93fee6d913656c740809e39b27c1c5d9 Mon Sep 17 00:00:00 2001 From: Joey Parrish Date: Thu, 17 Jun 2021 13:36:56 -0700 Subject: [PATCH] Make CI workflows safe when testing in a fork Testing CI workflows is a pain. This usually involves forking the main repo and testing various operations there, where the results will not break the main repo. However, some things like NPM and Docker package names were initially hard-coded. This meant that a fork would need to customize those in the workflows to avoid pushing official-looking packages during CI testing. This change moves those hard-coded names to GitHub Secrets. Though the names are not actually secret, the secret store is per-repo, and will be independent in a fork. This makes it easier to avoid accidentally pushing official-looking releases during testing, even if the fork has access to the same auth tokens. Change-Id: Ide8f7aa92a028dd217200fca60881333bf8ae579 --- .github/workflows/README.md | 6 ++++++ .github/workflows/docker_hub_release.yaml | 2 +- .github/workflows/npm_release.yaml | 7 +++++-- npm/package.json | 2 +- npm/prepublish.js | 11 ++++++++--- 5 files changed, 21 insertions(+), 7 deletions(-) diff --git a/.github/workflows/README.md b/.github/workflows/README.md index 73b50263df..acae72f827 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -33,10 +33,16 @@ - `DOCKERHUB_CI_USERNAME`: The username of the Docker Hub CI account - `DOCKERHUB_CI_TOKEN`: An access token for Docker Hub - To generate, visit https://hub.docker.com/settings/security + - `DOCKERHUB_PACKAGE_NAME`: Not a true "secret", but stored here to avoid + someone pushing bogus packages to Docker Hub during CI testing from a fork + - In a fork, set to a private name which differs from the production one - `NPM_CI_TOKEN`: An "Automation"-type access token for NPM for the `shaka-bot` account - To generate, visit https://www.npmjs.com/settings/shaka-bot/tokens and select the "Automation" type + - `NPM_PACKAGE_NAME`: Not a true "secret", but stored here to avoid someone + pushing bogus packages to NPM during CI testing from a fork + - In a fork, set to a private name which differs from the production one - `SHAKA_BOT_TOKEN`: A GitHub personal access token for the `shaka-bot` account, with `workflow` scope - To generate, visit https://github.com/settings/tokens/new and select the diff --git a/.github/workflows/docker_hub_release.yaml b/.github/workflows/docker_hub_release.yaml index ef6f9cc7fe..4a2b1130a3 100644 --- a/.github/workflows/docker_hub_release.yaml +++ b/.github/workflows/docker_hub_release.yaml @@ -44,4 +44,4 @@ jobs: with: push: true context: src/ - tags: google/shaka-packager:latest,google/shaka-packager:${{ env.TARGET_REF }} + tags: ${{ secrets.DOCKERHUB_PACKAGE_NAME }}:latest,${{ secrets.DOCKERHUB_PACKAGE_NAME }}:${{ env.TARGET_REF }} diff --git a/.github/workflows/npm_release.yaml b/.github/workflows/npm_release.yaml index d08d7e27d5..9c9d2591fd 100644 --- a/.github/workflows/npm_release.yaml +++ b/.github/workflows/npm_release.yaml @@ -38,10 +38,12 @@ jobs: with: node-version: 10 - - name: Set package version + - name: Set package name and version run: | cd src/npm - npm version ${{ env.TARGET_REF }} + sed package.json -i \ + -e 's/"name": ""/"name": "${{ secrets.NPM_PACKAGE_NAME }}"/' \ + -e 's/"version": ""/"version": "${{ env.TARGET_REF }}"/' - name: Publish NPM package uses: JS-DevTools/npm-publish@v1 @@ -49,3 +51,4 @@ jobs: token: ${{ secrets.NPM_CI_TOKEN }} package: src/npm/package.json check-version: false + access: public diff --git a/npm/package.json b/npm/package.json index 8dcb0742b2..b8a90332b6 100644 --- a/npm/package.json +++ b/npm/package.json @@ -1,5 +1,5 @@ { - "name": "shaka-packager", + "name": "", "description": "A media packaging tool and SDK.", "version": "", "homepage": "https://github.com/google/shaka-packager", diff --git a/npm/prepublish.js b/npm/prepublish.js index c6608d6bac..fdafc5fff0 100755 --- a/npm/prepublish.js +++ b/npm/prepublish.js @@ -16,8 +16,13 @@ var commandNames = { var package = require(path.resolve(__dirname, 'package.json')); console.log('Preparing Shaka Packager v' + package.version); +// Calculate the repo name. In GitHub Actions context, this will pull binaries +// correctly from a fork. When run by hand, it will default to the official +// repo. +var repo = process.env.GITHUB_REPOSITORY || 'google/shaka-packager'; + // For fetching binaries from GitHub: -var urlBase = 'https://github.com/google/shaka-packager/releases/download/v' + +var urlBase = 'https://github.com/' + repo + '/releases/download/v' + package.version + '/'; // For spawning curl subprocesses: @@ -49,11 +54,11 @@ for (var platform in commandNames) { // Fetch LICENSE and README files from the same tag, and include them in the // package. -var licenseUrl = 'https://raw.githubusercontent.com/google/shaka-packager/' + +var licenseUrl = 'https://raw.githubusercontent.com/' + repo + '/' + 'v' + package.version + '/LICENSE'; download(licenseUrl, 'LICENSE'); -var readmeUrl = 'https://raw.githubusercontent.com/google/shaka-packager/' + +var readmeUrl = 'https://raw.githubusercontent.com/' + repo + '/' + 'v' + package.version + '/README.md'; download(readmeUrl, 'README.md');