Make CI workflows safe when testing in a fork
Testing CI workflows is a pain. This usually involves forking the main repo and testing various operations there, where the results will not break the main repo. However, some things like NPM and Docker package names were initially hard-coded. This meant that a fork would need to customize those in the workflows to avoid pushing official-looking packages during CI testing. This change moves those hard-coded names to GitHub Secrets. Though the names are not actually secret, the secret store is per-repo, and will be independent in a fork. This makes it easier to avoid accidentally pushing official-looking releases during testing, even if the fork has access to the same auth tokens. Change-Id: Ide8f7aa92a028dd217200fca60881333bf8ae579
This commit is contained in:
parent
a2e07a901e
commit
acafc0fd93
|
@ -33,10 +33,16 @@
|
||||||
- `DOCKERHUB_CI_USERNAME`: The username of the Docker Hub CI account
|
- `DOCKERHUB_CI_USERNAME`: The username of the Docker Hub CI account
|
||||||
- `DOCKERHUB_CI_TOKEN`: An access token for Docker Hub
|
- `DOCKERHUB_CI_TOKEN`: An access token for Docker Hub
|
||||||
- To generate, visit https://hub.docker.com/settings/security
|
- To generate, visit https://hub.docker.com/settings/security
|
||||||
|
- `DOCKERHUB_PACKAGE_NAME`: Not a true "secret", but stored here to avoid
|
||||||
|
someone pushing bogus packages to Docker Hub during CI testing from a fork
|
||||||
|
- In a fork, set to a private name which differs from the production one
|
||||||
- `NPM_CI_TOKEN`: An "Automation"-type access token for NPM for the `shaka-bot`
|
- `NPM_CI_TOKEN`: An "Automation"-type access token for NPM for the `shaka-bot`
|
||||||
account
|
account
|
||||||
- To generate, visit https://www.npmjs.com/settings/shaka-bot/tokens and
|
- To generate, visit https://www.npmjs.com/settings/shaka-bot/tokens and
|
||||||
select the "Automation" type
|
select the "Automation" type
|
||||||
|
- `NPM_PACKAGE_NAME`: Not a true "secret", but stored here to avoid someone
|
||||||
|
pushing bogus packages to NPM during CI testing from a fork
|
||||||
|
- In a fork, set to a private name which differs from the production one
|
||||||
- `SHAKA_BOT_TOKEN`: A GitHub personal access token for the `shaka-bot`
|
- `SHAKA_BOT_TOKEN`: A GitHub personal access token for the `shaka-bot`
|
||||||
account, with `workflow` scope
|
account, with `workflow` scope
|
||||||
- To generate, visit https://github.com/settings/tokens/new and select the
|
- To generate, visit https://github.com/settings/tokens/new and select the
|
||||||
|
|
|
@ -44,4 +44,4 @@ jobs:
|
||||||
with:
|
with:
|
||||||
push: true
|
push: true
|
||||||
context: src/
|
context: src/
|
||||||
tags: google/shaka-packager:latest,google/shaka-packager:${{ env.TARGET_REF }}
|
tags: ${{ secrets.DOCKERHUB_PACKAGE_NAME }}:latest,${{ secrets.DOCKERHUB_PACKAGE_NAME }}:${{ env.TARGET_REF }}
|
||||||
|
|
|
@ -38,10 +38,12 @@ jobs:
|
||||||
with:
|
with:
|
||||||
node-version: 10
|
node-version: 10
|
||||||
|
|
||||||
- name: Set package version
|
- name: Set package name and version
|
||||||
run: |
|
run: |
|
||||||
cd src/npm
|
cd src/npm
|
||||||
npm version ${{ env.TARGET_REF }}
|
sed package.json -i \
|
||||||
|
-e 's/"name": ""/"name": "${{ secrets.NPM_PACKAGE_NAME }}"/' \
|
||||||
|
-e 's/"version": ""/"version": "${{ env.TARGET_REF }}"/'
|
||||||
|
|
||||||
- name: Publish NPM package
|
- name: Publish NPM package
|
||||||
uses: JS-DevTools/npm-publish@v1
|
uses: JS-DevTools/npm-publish@v1
|
||||||
|
@ -49,3 +51,4 @@ jobs:
|
||||||
token: ${{ secrets.NPM_CI_TOKEN }}
|
token: ${{ secrets.NPM_CI_TOKEN }}
|
||||||
package: src/npm/package.json
|
package: src/npm/package.json
|
||||||
check-version: false
|
check-version: false
|
||||||
|
access: public
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
{
|
{
|
||||||
"name": "shaka-packager",
|
"name": "",
|
||||||
"description": "A media packaging tool and SDK.",
|
"description": "A media packaging tool and SDK.",
|
||||||
"version": "",
|
"version": "",
|
||||||
"homepage": "https://github.com/google/shaka-packager",
|
"homepage": "https://github.com/google/shaka-packager",
|
||||||
|
|
|
@ -16,8 +16,13 @@ var commandNames = {
|
||||||
var package = require(path.resolve(__dirname, 'package.json'));
|
var package = require(path.resolve(__dirname, 'package.json'));
|
||||||
console.log('Preparing Shaka Packager v' + package.version);
|
console.log('Preparing Shaka Packager v' + package.version);
|
||||||
|
|
||||||
|
// Calculate the repo name. In GitHub Actions context, this will pull binaries
|
||||||
|
// correctly from a fork. When run by hand, it will default to the official
|
||||||
|
// repo.
|
||||||
|
var repo = process.env.GITHUB_REPOSITORY || 'google/shaka-packager';
|
||||||
|
|
||||||
// For fetching binaries from GitHub:
|
// For fetching binaries from GitHub:
|
||||||
var urlBase = 'https://github.com/google/shaka-packager/releases/download/v' +
|
var urlBase = 'https://github.com/' + repo + '/releases/download/v' +
|
||||||
package.version + '/';
|
package.version + '/';
|
||||||
|
|
||||||
// For spawning curl subprocesses:
|
// For spawning curl subprocesses:
|
||||||
|
@ -49,11 +54,11 @@ for (var platform in commandNames) {
|
||||||
|
|
||||||
// Fetch LICENSE and README files from the same tag, and include them in the
|
// Fetch LICENSE and README files from the same tag, and include them in the
|
||||||
// package.
|
// package.
|
||||||
var licenseUrl = 'https://raw.githubusercontent.com/google/shaka-packager/' +
|
var licenseUrl = 'https://raw.githubusercontent.com/' + repo + '/' +
|
||||||
'v' + package.version + '/LICENSE';
|
'v' + package.version + '/LICENSE';
|
||||||
download(licenseUrl, 'LICENSE');
|
download(licenseUrl, 'LICENSE');
|
||||||
|
|
||||||
var readmeUrl = 'https://raw.githubusercontent.com/google/shaka-packager/' +
|
var readmeUrl = 'https://raw.githubusercontent.com/' + repo + '/' +
|
||||||
'v' + package.version + '/README.md';
|
'v' + package.version + '/README.md';
|
||||||
download(readmeUrl, 'README.md');
|
download(readmeUrl, 'README.md');
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue